MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 3 YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
SHA3-384 hash: 48eb6db0ce60072a1f454d409f36b004c9c7478c77e9950228623c6c7bea04e039eb67bf3a895a77a8b1d4c6b6056f60
SHA1 hash: 509d2742295efd7085ad191124d810943e11753b
MD5 hash: 2471381651be6376c0f06c966f988875
humanhash: network-pip-november-papa
File name:2471381651BE6376C0F06C966F988875.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:3'628'848 bytes
First seen:2021-05-15 20:20:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:dPBZLpBk737eAHt6Eo+OqdXZQsKwAM/F3xs9ro+:d7LpC73vHtVo+OqRZQsKM/FKx3
Threatray 59 similar samples on MalwareBazaar
TLSH 31F53392C7054875D6910EF03D20F773946EE8A59C588B3FBEB14D8F9B178786028E9B
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://remmzp62.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://remmzp62.top/index.php https://threatfox.abuse.ch/ioc/42841/
http://mortlk06.top/index.php https://threatfox.abuse.ch/ioc/42842/
135.181.170.166:44121 https://threatfox.abuse.ch/ioc/43052/

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2471381651BE6376C0F06C966F988875.exe
Verdict:
No threats detected
Analysis date:
2021-05-15 20:23:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/901a0e07-e3ef-4cf1-984b-b706313191b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/157445/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/782854
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 415250 Sample: P748jZ2XlY.exe Startdate: 15/05/2021 Architecture: WINDOWS Score: 100 190 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->190 192 Found malware configuration 2->192 194 Malicious sample detected (through community Yara rule) 2->194 196 13 other signatures 2->196 12 P748jZ2XlY.exe 19 2->12         started        process3 file4 86 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 12->88 dropped 90 C:\Users\user\AppData\Local\Temp\...90Act.dll, PE32 12->90 dropped 15 setup_installer.exe 16 12->15         started        process5 file6 92 C:\Users\user\AppData\...\setup_install.exe, PE32 15->92 dropped 94 C:\Users\user\AppData\Local\...\metina_8.exe, PE32 15->94 dropped 96 C:\Users\user\AppData\Local\...\metina_6.exe, PE32 15->96 dropped 98 11 other files (4 malicious) 15->98 dropped 18 setup_install.exe 1 15->18         started        process7 dnsIp8 138 estrix.xyz 172.67.165.117, 49728, 80 CLOUDFLARENETUS United States 18->138 140 127.0.0.1 unknown unknown 18->140 142 192.168.2.1 unknown unknown 18->142 222 Performs DNS queries to domains with low reputation 18->222 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 8 other processes 18->28 signatures9 process10 process11 30 metina_8.exe 22->30         started        35 metina_1.exe 6 24->35         started        37 metina_3.exe 89 26->37         started        39 metina_2.exe 1 28->39         started        41 metina_6.exe 28->41         started        43 metina_5.exe 28->43         started        45 2 other processes 28->45 dnsIp12 156 md8.8eus.pw 101.99.90.200, 49741, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 30->156 158 privacytools.xyz 45.139.187.152, 49740, 80 HostingvpsvilleruRU Russian Federation 30->158 164 11 other IPs or domains 30->164 100 C:\Users\...\uEhAqJnJucoMLCfX9rvh1JHY.exe, PE32 30->100 dropped 102 C:\Users\...\YAN0keBTS055fWNtXsBxfwIX.exe, PE32 30->102 dropped 112 15 other files (3 malicious) 30->112 dropped 170 Performs DNS queries to domains with low reputation 30->170 47 X88E1O6u7MDadF1UHBeAxGep.exe 30->47         started        50 qdizmxY2paNOA03lsETSSZWU.exe 30->50         started        53 9CVHuebk7IUsBtGbfTefLPEJ.exe 30->53         started        66 10 other processes 30->66 104 C:\Users\user\AppData\Local\...\install.dll, PE32 35->104 dropped 172 Machine Learning detection for dropped file 35->172 56 rundll32.exe 35->56         started        166 2 other IPs or domains 37->166 114 12 other files (none is malicious) 37->114 dropped 174 Detected unpacking (changes PE section rights) 37->174 176 Detected unpacking (overwrites its own PE header) 37->176 178 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->178 186 4 other signatures 37->186 106 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 39->106 dropped 180 Renames NTDLL to bypass HIPS 39->180 182 Checks if the current machine is a virtual machine (disk enumeration) 39->182 58 explorer.exe 39->58 injected 108 C:\Users\user\AppData\Local\...\metina_6.tmp, PE32 41->108 dropped 60 metina_6.tmp 41->60         started        160 ip-api.com 208.95.112.1, 49731, 80 TUT-ASUS United States 43->160 168 3 other IPs or domains 43->168 110 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 43->110 dropped 184 May check the online IP address of the machine 43->184 62 jfiag3g_gg.exe 43->62         started        64 jfiag3g_gg.exe 43->64         started        162 104.21.33.129 CLOUDFLARENETUS United States 45->162 116 5 other files (none is malicious) 45->116 dropped file13 signatures14 process15 dnsIp16 118 C:\Program Files (x86)\...\wangjun.exe, PE32 47->118 dropped 120 C:\Program Files (x86)\Company\...\setup.exe, PE32 47->120 dropped 122 C:\Program Files (x86)\...\md8_8eus.exe, PE32 47->122 dropped 132 4 other files (3 malicious) 47->132 dropped 198 Query firmware table information (likely to detect VMs) 50->198 200 Tries to detect sandboxes and other dynamic analysis tools (window names) 50->200 202 Hides threads from debuggers 50->202 204 Tries to detect sandboxes / dynamic malware analysis system (registry check) 50->204 144 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 53->144 124 C:\Users\...\9CVHuebk7IUsBtGbfTefLPEJ.exe, PE32 53->124 dropped 206 Drops PE files to the document folder of the user 53->206 208 Tries to harvest and steal browser information (history, passwords, etc) 53->208 210 Writes to foreign memory regions 56->210 212 Allocates memory in foreign processes 56->212 214 Creates a thread in another existing process (thread injection) 56->214 68 svchost.exe 56->68 injected 71 svchost.exe 56->71 injected 73 svchost.exe 56->73 injected 75 haleng.exe 58->75         started        146 limesfile.com 198.54.126.101, 49744, 80 NAMECHEAP-NETUS United States 60->146 126 C:\Users\user\AppData\Local\...\________.exe, PE32 60->126 dropped 134 3 other files (none is malicious) 60->134 dropped 77 ________.exe 60->77         started        148 8.209.75.180 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 66->148 150 212.86.114.14 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 66->150 128 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 66->128 dropped 130 C:\Users\user\AppData\...\adobe_caps.dll, PE32 66->130 dropped 216 Detected unpacking (changes PE section rights) 66->216 218 Detected unpacking (overwrites its own PE header) 66->218 220 Sample uses process hollowing technique 66->220 file17 signatures18 process19 dnsIp20 224 System process connects to network (likely due to code injection or exploit) 68->224 226 Sets debug register (to hijack the execution of another thread) 68->226 228 Modifies the context of a thread in another process (thread injection) 68->228 80 svchost.exe 68->80         started        84 jfiag3g_gg.exe 75->84         started        152 13.107.4.50 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 77->152 154 162.0.210.44 ACPCA Canada 77->154 signatures21 process22 dnsIp23 136 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 80->136 188 Query firmware table information (likely to detect VMs) 80->188 signatures24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-05-13 00:54:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3ennulelca5lezssu7a3ib2gid5gt4ylxmi5f24vc7wl634ypaq._file
Verdict:
malicious
Similar samples:
328c5eb8908b83c474ab4ab892ac1c2cae066f1f55dbcd15d850b54cc0f4c3cc
CryptBot
362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5
CryptBot
55d33f116ca5cbd1e8bbf9151c2f457f7f045c8b00b7980cada01d20e9bd29c6
CryptBot
5f3507cbeaeda2b6fa6b1144782f45f17c274d30fba40fa1ee9b302496242265
CryptBot
630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf
CryptBot
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
CryptBot
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
CryptBot
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
CryptBot
9a048c8436c448e99a3a7047781ddc5d14a323660bd69f9fd7432c316083e3b6
CryptBot
a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193
CryptBot
+ 49 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:smokeloader family:vidar family:xmrig aspackv2 backdoor miner persistence stealer trojan upx
Link:
https://tria.ge/reports/210515-zamrp3w2je/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
XMRig Miner Payload
PlugX
SmokeLoader
Vidar
xmrig
Malware Config
C2 Extraction:
http://khaleelahmed.com/upload/
http://twvickiassociation.com/upload/
http://www20833.com/upload/
http://cocinasintonterias.com/upload/
http://masaofukunaga.com/upload/
http://gnckids.com/upload/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157445/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-15 20:59:36 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
2) [F0002.002] Collection::Polling
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0045] File System Micro-objective::Copy File
8) [C0046] File System Micro-objective::Create Directory
9) [C0048] File System Micro-objective::Delete Directory
10) [C0047] File System Micro-objective::Delete File
11) [C0049] File System Micro-objective::Get File Attributes
12) [C0051] File System Micro-objective::Read File
13) [C0050] File System Micro-objective::Set File Attributes
14) [C0052] File System Micro-objective::Writes File
15) [E1510] Impact::Clipboard Modification
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
18) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
19) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
20) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
21) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
22) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
23) [C0017] Process Micro-objective::Create Process
24) [C0038] Process Micro-objective::Create Thread
25) [C0018] Process Micro-objective::Terminate Process