MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f5f946c7dc292fa0df7814fbef62ca2a2efc6d533e0296d2a3af3751319a83b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f5f946c7dc292fa0df7814fbef62ca2a2efc6d533e0296d2a3af3751319a83b
SHA3-384 hash: d99f75a155b7fd714e41e25755747e8a259679473025bb7159fc028bb6a5c7010c7b8a900e265f7071b2fc9364d4a8d8
SHA1 hash: 393a0f714c015b2fc27f07386ea3c13c1b10ffa4
MD5 hash: 7b10d8a3b658dd50f2e2b0efdad7e93b
humanhash: freddie-west-sixteen-avocado
File name:7b10d8a3b658dd50f2e2b0efdad7e93b
Download: download sample
Signature CryptBot
Create hunting rule
File size:334'848 bytes
First seen:2024-08-04 04:08:40 UTC
Last seen:2024-08-04 04:16:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 89d186e701948ed4026afa52bc6342f0 (3 x ZharkBot, 1 x LummaStealer, 1 x CryptBot)
ssdeep 6144:139VuBbRywQ7Jsf1910HI8N7lLFqGfHyxeHsxRyRoRRCOR/FQ+oLBCsFk1DQjGgU:139VG9WlRqG/+oLPiNr/Rv0fVIFuOZGc
Threatray 9 similar samples on MalwareBazaar
TLSH T1F3648D10F642D032DAB114705A3C7FB6996DAD300FA855F7B3E40D7A9E602D2A736B93
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-08-03 21:31:58 UTC
Tags:
loader phorpiex github hausbomber dcrat smb websocket opendir antivm stealer miner ipfs amadey botnet autoit metastealer redline upx stealc pastebin zharkbot lumma evasion deerstealer xfiles cryptbot smokeloader ssh themida reddriver api-base64 netreactor pureminer blackmoon xmrig smtp
Link:
https://app.any.run/tasks/82307a9d-3759-4478-8a84-d191117b1ade

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66aefee2b7a04efc7439cacf
Tags:
Banker Execution Infostealer Network Stealth Trojan Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Setting a single autorun event
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint lolbin microsoft_visual_cc shell32 wscript
Link:
https://www.filescan.io/uploads/66af1ea5e7dbbbdfcd08d024/reports/b5798438-1fa4-4a1f-bbf3-2398a18b07af/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/3f5f946c7dc292fa0df7814fbef62ca2a2efc6d533e0296d2a3af3751319a83b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ebcedb5-9028-460a-9942-7d8acf811fdc
Result
Threat name:
Cryptbot, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1487435
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Cryptbot
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Yara detected Vidar
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1487435 Sample: yLfAxBEcuo.exe Startdate: 04/08/2024 Architecture: WINDOWS Score: 100 120 xmr-eu1.nanopool.org 2->120 122 pastebin.com 2->122 124 13 other IPs or domains 2->124 156 Sigma detected: Xmrig 2->156 158 Multi AV Scanner detection for domain / URL 2->158 160 Found malware configuration 2->160 166 19 other signatures 2->166 9 Aptitude.exe 11 2->9         started        14 yLfAxBEcuo.exe 1 4 2->14         started        16 sys_updater.exe 2->16         started        18 5 other processes 2->18 signatures3 162 DNS related to crypt mining pools 120->162 164 Connects to a pastebin service (likely for C&C) 122->164 process4 dnsIp5 146 warzone-meta.net 185.216.214.218 SERVERDISCOUNTERserverdiscountercomDE Germany 9->146 148 github.com 140.82.121.3 GITHUBUS United States 9->148 152 3 other IPs or domains 9->152 102 C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, PE32 9->102 dropped 104 C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, PE32+ 9->104 dropped 118 2 other malicious files 9->118 dropped 202 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->202 20 HM3SOlbpH71yEXUIEAOeIiGX.exe 9->20         started        23 YAPNXRPmcarcR4ZDgC81Tbdk.exe 9->23         started        27 IIZS2TRqf69aZbLAX3cf3edn.exe 9->27         started        35 2 other processes 9->35 106 C:\Users\user\AppData\Local\...\Aptitude.exe, PE32 14->106 dropped 108 C:\Users\...\Aptitude.exe:Zone.Identifier, ASCII 14->108 dropped 204 Creates an undocumented autostart registry key 14->204 206 Creates multiple autostart registry keys 14->206 208 Contains functionality to inject code into remote processes 14->208 210 Uses schtasks.exe or at.exe to add and modify task schedules 14->210 29 schtasks.exe 1 14->29         started        31 Aptitude.exe 14->31         started        110 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 16->110 dropped 212 Found strings related to Crypto-Mining 16->212 150 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 18->150 112 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 18->112 dropped 114 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 18->114 dropped 116 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 18->116 dropped 214 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->214 33 schtasks.exe 1 18->33         started        file6 signatures7 process8 dnsIp9 168 Multi AV Scanner detection for dropped file 20->168 170 Machine Learning detection for dropped file 20->170 172 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->172 174 Injects a PE file into a foreign processes 20->174 37 MSBuild.exe 20->37         started        52 3 other processes 20->52 140 steamcommunity.com 104.102.49.249 AKAMAI-ASUS United States 23->140 142 168.119.176.241 HETZNER-ASDE Germany 23->142 144 2 other IPs or domains 23->144 92 C:\Users\user\AppData\...\7847438767[1].exe, PE32+ 23->92 dropped 94 C:\ProgramData\softokn3.dll, PE32 23->94 dropped 96 C:\ProgramData\nss3.dll, PE32 23->96 dropped 100 5 other files (3 malicious) 23->100 dropped 176 Detected unpacking (changes PE section rights) 23->176 178 Detected unpacking (creates a PE file in dynamic memory) 23->178 180 Detected unpacking (overwrites its own PE header) 23->180 190 6 other signatures 23->190 42 JDGCFBAFBF.exe 23->42         started        182 Writes to foreign memory regions 27->182 192 2 other signatures 27->192 44 jsc.exe 27->44         started        54 3 other processes 27->54 46 conhost.exe 29->46         started        48 conhost.exe 33->48         started        98 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 35->98 dropped 184 Found many strings related to Crypto-Wallets (likely being stolen) 35->184 186 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->186 188 Modifies the context of a thread in another process (thread injection) 35->188 50 AddInProcess.exe 35->50         started        56 2 other processes 35->56 file10 signatures11 process12 dnsIp13 126 140.82.121.4 GITHUBUS United States 37->126 136 3 other IPs or domains 37->136 76 C:\Users\...\sJ0XcGwVTJYSRTGAbMNQglzF.exe, PE32 37->76 dropped 78 C:\Users\...\gDJ2BNMSzuU54cwRx7BpXysY.exe, PE32 37->78 dropped 80 C:\Users\...\g5eeC9GGYtY4tJvKQ9SJRP2v.exe, PE32 37->80 dropped 88 13 other malicious files 37->88 dropped 194 Creates HTML files with .exe extension (expired dropper behavior) 37->194 58 g35l2PjrjhSF3YHWM4er0cVl.exe 37->58         started        62 JctA1lHoEIDGHRSFHEceGNDB.exe 37->62         started        64 g5eeC9GGYtY4tJvKQ9SJRP2v.exe 37->64         started        66 WrU6SUSpwHRjGQ0qoeRZDZGP.exe 37->66         started        196 Multi AV Scanner detection for dropped file 42->196 198 Detected unpacking (creates a PE file in dynamic memory) 42->198 68 winver.exe 42->68         started        128 pastebin.com 172.67.19.24 CLOUDFLARENETUS United States 44->128 130 yip.su 188.114.97.3 CLOUDFLARENETUS European Union 44->130 138 2 other IPs or domains 44->138 82 C:\Users\...\yiiZsnwN1eVBvPVma1xsOXMn.exe, PE32 44->82 dropped 84 C:\Users\...\sfFG2uyGcbeGT78AVEaU5hIL.exe, PE32 44->84 dropped 86 C:\Users\...\pIAU3i45xZAvhyKZOSbIao2Q.exe, PE32 44->86 dropped 90 7 other malicious files 44->90 dropped 70 NJCibNXE6hZyGVMrUwqs082J.exe 44->70         started        72 sfFG2uyGcbeGT78AVEaU5hIL.exe 44->72         started        74 hNQ8CU4O6lG62Wo2PAF3V54y.exe 44->74         started        132 141.94.23.83 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 50->132 200 Query firmware table information (likely to detect VMs) 50->200 134 51.15.65.182 OnlineSASFR France 56->134 file14 signatures15 process16 dnsIp17 154 tvex20pt.top 31.192.244.36 ABSTATIONwwwabstationnetGB United Kingdom 58->154 216 Found many strings related to Crypto-Wallets (likely being stolen) 58->216 218 Tries to harvest and steal browser information (history, passwords, etc) 58->218 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3f5f946c7dc292fa0df7814fbef62ca2a2efc6d533e0296d2a3af3751319a83b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f5f946c7dc292fa0df7814fbef62ca2a2efc6d533e0296d2a3af3751319a83b/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-08-03 18:05:52 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5pzi3d5ykjpudpxqfh355rmukro7rwvgpqcs3jkhlzxkeyzva5q._file
Verdict:
malicious
Similar samples:
0a18067c173a7c4bdc24b8d3a847814b30733cecfdcc305c431a3d1fcc322536
CryptBot
1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef
CryptBot
1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
CryptBot
dcff0ce8faf0bc8555c4213eecf50f8e98a72b9cac87676239afd9eb5d7ed8f6
CryptBot
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240804-eqsh1swbmn/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/283ed9b1-a445-4582-acfb-0ad967666f64
Unpacked files
SH256 hash:
3f5f946c7dc292fa0df7814fbef62ca2a2efc6d533e0296d2a3af3751319a83b
MD5 hash:
7b10d8a3b658dd50f2e2b0efdad7e93b
SHA1 hash:
393a0f714c015b2fc27f07386ea3c13c1b10ffa4
Link:
https://www.unpac.me/results/69ef3ea0-e78b-49eb-98c4-689eeb9a6d15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f5f946c7dc292fa0df7814fbef62ca2a2efc6d533e0296d2a3af3751319a83b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 3f5f946c7dc292fa0df7814fbef62ca2a2efc6d533e0296d2a3af3751319a83b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3087649/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::GetUserNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA

Comments


Avatar
zbet commented on 2024-08-04 04:08:41 UTC

url : hxxp://185.215.113.16/inc/2.exe