MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d364150c09d1f0c4a9eab0144fb4754bdcfa96ad1d0bd874308e625c5958b75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d364150c09d1f0c4a9eab0144fb4754bdcfa96ad1d0bd874308e625c5958b75
SHA3-384 hash: b5403aa165ae573ec1e9093e19afb5f40a505b8ca110ed77a852ee04ea8421d6436f98919ae19d3da6dfd0e86a7528f1
SHA1 hash: 05d4f9b76adf28485bd8fa0b74412746b98c9d8c
MD5 hash: bcd4db4df2b58bfb92a5c7e7395abd99
humanhash: glucose-spring-mike-chicken
File name:bcd4db4df2b58bfb92a5c7e7395abd99.exe
Download: download sample
Signature Cryptbot
Create hunting rule
File size:1'908'631 bytes
First seen:2021-07-17 09:47:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 524711ec9c5a149fe3bf3479d0b505b6 (3 x Cryptbot)
ssdeep 49152:pJlN6I4kYlok9rVY1ODeW/eVITGjtVszOIRD50pP6lu:pJqIbk9qE/owybMR9Nlu
Threatray 389 similar samples on MalwareBazaar
TLSH T1AF9522017B94C772C66C03FE4B64F1B622B4ADF3021788D7BB743ACA7D70E95A629185
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bcd4db4df2b58bfb92a5c7e7395abd99.exe
Verdict:
Malicious activity
Analysis date:
2021-07-17 09:50:29 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/a2264762-52a6-4d1e-b7e4-ce12d1fc014f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172326/
Detection(s):
Win.Malware.7drop-9879211-0
Create hunting rule

Win.Malware.Generic-9879213-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f237cc42-b71b-4f7c-8e1d-8ea82d87fb80
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817799
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Regsvr32 Anomaly
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450210 Sample: qs3SXQ46BN.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 9 qs3SXQ46BN.exe 7 2->9         started        process3 signatures4 45 Contains functionality to register a low level keyboard hook 9->45 12 cmd.exe 1 9->12         started        process5 signatures6 47 Submitted sample is a known malware sample 12->47 49 Obfuscated command line found 12->49 51 Uses ping.exe to sleep 12->51 53 Uses ping.exe to check the status of other devices and networks 12->53 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 55 Obfuscated command line found 15->55 57 Uses ping.exe to sleep 15->57 20 PING.EXE 1 15->20         started        23 findstr.exe 1 15->23         started        26 Braccio.exe.com 15->26         started        process9 dnsIp10 33 127.0.0.1 unknown unknown 20->33 31 C:\Users\user\AppData\...\Braccio.exe.com, Targa 23->31 dropped 28 Braccio.exe.com 26->28         started        file11 process12 dnsIp13 35 vBpxrjgXBjSdUIWlNsBFghKTTMG.vBpxrjgXBjSdUIWlNsBFghKTTMG 28->35
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d364150c09d1f0c4a9eab0144fb4754bdcfa96ad1d0bd874308e625c5958b75/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 09:48:05 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
057a4fa95610763f1aa6c88e6076c8492787a39dd23049fa2324c588c15f75cf
Cryptbot
349fcfd6f24473d8b0c9429c0f71459a178125b6d42a48129d357ce99eca94fe
Cryptbot
54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605
Cryptbot
705b09578c6785adb9c29b9d9e5c57fe8c3892ec6cc0a04b099d205a1794aaf7
Cryptbot
719cf0c9eba47af19500753dc4213f551efdc09f13e2c71ef0e39b08a7aca888
Cryptbot
9cbdf7f433f59f69ed01b5d6928259ad816d83c3680b8d14bbc54f2e8cd7b752
Cryptbot
af8df57ba3941ed8fa89543e4e98f2da5dfe7a0efaaa72aaca4c54ea9f5ccc58
Cryptbot
b3a99ecc4ab9f73d814f0f64a3aa0c71ee3cf94872f2f8ca3a2a1c5d630c095d
Cryptbot
df85a38611751933558ef9e7da81e81025ffc5e5e92cedaf4d97fb0b9f147422
Cryptbot
e94bc4b9b7fc5813237818bc03a68b8b9060362d46ae1723e9216ce80ddbc864
Cryptbot
+ 379 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210717-1zfye58mwa/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
6f1ff88a0f7944c920442b387456dff5c6807d4b8918107b08cefd0862647e75
MD5 hash:
6b7b0bdba3a93c863c9cc43100be70a5
SHA1 hash:
9772a0addc1a1dde2751c54bf4ec4da8aaa9225b
Link:
https://www.unpac.me/results/55638cdf-9d49-4fcc-b730-b7b79bba459d/
SH256 hash:
3d364150c09d1f0c4a9eab0144fb4754bdcfa96ad1d0bd874308e625c5958b75
MD5 hash:
bcd4db4df2b58bfb92a5c7e7395abd99
SHA1 hash:
05d4f9b76adf28485bd8fa0b74412746b98c9d8c
Link:
https://www.unpac.me/results/55638cdf-9d49-4fcc-b730-b7b79bba459d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d364150c09d1f0c4a9eab0144fb4754bdcfa96ad1d0bd874308e625c5958b75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cryptbot

Executable exe 3d364150c09d1f0c4a9eab0144fb4754bdcfa96ad1d0bd874308e625c5958b75

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393651/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172326/

Comments