MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 3 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
SHA3-384 hash: 97291fafd5a4ac2b195a17d60c8204d035419ef5fa3a1083035e7f1c03fb6a8bd1b9b8861dd06fdb20540e8af9373840
SHA1 hash: 2e710dc3374c329f20d52efd119338adbda27b53
MD5 hash: fc1a502103dbff4e6054210d55fa670f
humanhash: undress-uranus-missouri-salami
File name:FC1A502103DBFF4E6054210D55FA670F.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:8'704 bytes
First seen:2021-05-31 03:05:23 UTC
Last seen:2021-05-31 03:48:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 192:0GWCyyKHQ4VxbWEusqbAbbP77fYFKFS1p:0LCyysQ4VxbWEunsnoYk1
Threatray 654 similar samples on MalwareBazaar
TLSH 3E02E626F7A94739CABA4B7D3CF323010770F7599853EEAF2889114F4DA7B010512BA6
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://45.140.147.99/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.99/ https://threatfox.abuse.ch/ioc/67541/
http://geobna72.top/index.php https://threatfox.abuse.ch/ioc/67613/
http://moryce07.top/index.php https://threatfox.abuse.ch/ioc/67614/

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2021-05-27 23:40:26 UTC
Tags:
opendir trojan evasion loader stealer raccoon rat redline danabot
Link:
https://app.any.run/tasks/a947a512-41d8-4cf4-99a7-1caceb411fa4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163298/
Detection(s):
SecuriteInfo.com.Variant.Bulz.491164.16340.1489.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a file in the Windows subdirectories
Sending a UDP request
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Launching a process
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %AppData% directory
Modifying a system file
Creating a file in the %AppData% subdirectories
Replacing files
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Forced shutdown of a system process
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794426
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Glupteba
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426822 Sample: fBIXQq2MOg.exe Startdate: 31/05/2021 Architecture: WINDOWS Score: 100 92 email.yg9.me 2->92 128 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->128 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 18 other signatures 2->134 9 fBIXQq2MOg.exe 14 19 2->9         started        14 svchost.exe 1 2->14         started        signatures3 process4 dnsIp5 94 jom.diregame.live 9->94 96 moonlabmediacompany.com 89.221.213.3, 49720, 80 WEDOSCZ Czech Republic 9->96 98 13 other IPs or domains 9->98 72 https___jom.direga...google-game.exe.exe, PE32 9->72 dropped 74 https___cdn.discor...0516_Setup2.exe.exe, PE32 9->74 dropped 76 https___cdn.discor...17556_jooyu.exe.exe, PE32 9->76 dropped 78 13 other malicious files 9->78 dropped 136 Drops PE files to the document folder of the user 9->136 138 Performs DNS queries to domains with low reputation 9->138 16 http___212.192.241.136_files_file8.exe.exe 15 3 9->16         started        20 https___cdn.discordapp.com_attachments_846372010271703082_848137134849130516_Setup2.exe.exe 9->20         started        23 http___privacytools.xyz_downloads_toolspab2.exe.exe 9->23         started        25 11 other processes 9->25 file6 signatures7 process8 dnsIp9 80 212.192.241.136, 49714, 49715, 80 RAPMSB-ASRU Russian Federation 16->80 82 41gf.gofast24.ru 217.107.34.191 RTCOMM-ASRU Russian Federation 16->82 84 33vv.magicnow24.ru 16->84 110 Writes to foreign memory regions 16->110 112 Allocates memory in foreign processes 16->112 114 Sample uses process hollowing technique 16->114 27 AddInProcess32.exe 16->27         started        31 AddInProcess32.exe 16->31         started        56 C:\Program Files (x86)\...\md8_8eus.exe, PE32 20->56 dropped 58 C:\Program Files (x86)\Company\...\lij.exe, PE32 20->58 dropped 60 C:\Program Files (x86)\Company\...\file4.exe, PE32 20->60 dropped 68 2 other files (1 malicious) 20->68 dropped 33 md8_8eus.exe 20->33         started        36 lij.exe 20->36         started        38 file4.exe 20->38         started        116 Contains functionality to inject code into remote processes 23->116 118 Injects a PE file into a foreign processes 23->118 40 http___privacytools.xyz_downloads_toolspab2.exe.exe 23->40         started        86 g-cleanpartners.in 193.233.31.133 MGNHOST-ASRU Russian Federation 25->86 88 195.93.173.160 UKRTELNETUA Ukraine 25->88 90 7 other IPs or domains 25->90 62 C:\Users\user\Documents\HT15CC~1.EXE.dll, PE32 25->62 dropped 64 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 25->64 dropped 66 C:\Users\user\AppData\Roaming\5701263.exe, PE32 25->66 dropped 70 4 other files (none is malicious) 25->70 dropped 120 Detected unpacking (changes PE section rights) 25->120 122 Detected unpacking (overwrites its own PE header) 25->122 124 Drops PE files to the document folder of the user 25->124 126 2 other signatures 25->126 42 jfiag3g_gg.exe 25->42         started        44 cmd.exe 25->44         started        46 3 other processes 25->46 file10 signatures11 process12 dnsIp13 100 195.123.221.46 ITLDC-NLUA Bulgaria 27->100 102 104.26.12.31 CLOUDFLARENETUS United States 27->102 140 Tries to harvest and steal browser information (history, passwords, etc) 27->140 142 Tries to steal Crypto Currency Wallets 27->142 104 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 33->104 106 iplogger.org 33->106 50 C:\Users\user\Documents\...\md8_8eus.exe, PE32 33->50 dropped 52 C:\Users\user\AppData\Local\...\install.dll, PE32 36->52 dropped 48 conhost.exe 36->48         started        54 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 40->54 dropped 144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->144 146 Renames NTDLL to bypass HIPS 40->146 148 Checks if the current machine is a virtual machine (disk enumeration) 40->148 150 Antivirus detection for dropped file 42->150 152 Multi AV Scanner detection for dropped file 42->152 154 Obfuscated command line found 44->154 108 87.251.71.4 RMINJINERINGRU Russian Federation 46->108 file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424/
Threat name:
ByteCode-MSIL.Spyware.Fbkatz
Create hunting rule
Status:
Malicious
First seen:
2021-05-27 19:48:29 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iggf7kmqoietnur7qps324vrdvf36bc3gpta57qj4kfka5hkyqsa._file
Verdict:
malicious
Similar samples:
0bd3a231000e408bc8eedc99d89e04f7e423bd75ab31363b17370dd0f002720f
CryptBot
0e63f296fdc309cb1e487cd1a549d029d2a9144b8a050db274901030dc6ec0f3
CryptBot
34eea6a07ea67c590471581473b4a17d5ac8214e1ec94464af43fb2ce7334808
CryptBot
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
CryptBot
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
CryptBot
542bb14d2ceec30c45ece43b1d282076ed64872c06b86e7d9fc660b054812dfb
CryptBot
59c98f1846f03efaa1a594b76b320e3f35ecd53e9ed640bb360bdcf0a41f3c2d
CryptBot
7d2aa440d1865ca2262908dbb3102194d0fd77117b2b3ea0af9de8cc21d1e394
CryptBot
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
CryptBot
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
CryptBot
+ 644 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:glupteba family:metasploit family:plugx family:raccoon family:redline family:smokeloader botnet:3 botnet:30_5_ruz botnet:50f8ded12c46443e43915127b1219ac2fc439bb6 botnet:servjason backdoor banker discovery dropper evasion infostealer loader persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210531-n6zyh34wtj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Danabot
Glupteba
Glupteba Payload
MetaSploit
PlugX
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
87.251.71.4:80
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
quropaloar.xyz:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:MALWARE_Win_HyperPro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperPro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163298/

Comments