MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 449654a262bba321b2942a1d3a8e2f651144d4cf02b26aaaa396b8216ee6a67c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 449654a262bba321b2942a1d3a8e2f651144d4cf02b26aaaa396b8216ee6a67c
SHA3-384 hash: 2da3bcc431cad77c468e9f4626b81d4d9569f630928a192768649de5da4b3605b21298f605e3ea6dec6ce68564fe2788
SHA1 hash: 4d80ed32d6a7a8c84c5342a6ce162abab9b05f3a
MD5 hash: a72f7115018d6d23bf8cfbaa34f1b418
humanhash: magazine-violet-emma-zebra
File name:a72f7115018d6d23bf8cfbaa34f1b418.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:364'544 bytes
First seen:2021-06-21 05:10:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 705a372c868b933d973ca642948b7012 (4 x RedLineStealer, 2 x Stop, 2 x CryptBot)
ssdeep 6144:6v9+Zn/M4ensYtUNL9fhkZWC1yNK/u/xyqlbWEHUFUQLbTN:k+Z/M4ensYtUNLGWC1NuUq9WSqhTN
TLSH 4974AF10A760C035F5F712F86AB993B9A93D3AB0A734A0CF52D51AEE56346E0EC31747
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://kiykae72.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://kiykae72.top/index.php https://threatfox.abuse.ch/ioc/137616/
http://morgon07.top/index.php https://threatfox.abuse.ch/ioc/137617/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a72f7115018d6d23bf8cfbaa34f1b418.exe
Verdict:
Malicious activity
Analysis date:
2021-06-21 05:11:10 UTC
Tags:
trojan loader evasion stealer rat backdoor dcrat
Link:
https://app.any.run/tasks/ccc1c240-fc20-479f-a1bc-ad2fbea57ff0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Generic-9873334-0
Create hunting rule

Win.Malware.Generic-9873354-0
Create hunting rule

Win.Packed.Generic-9873356-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/060c71ea-c06e-4ebd-b80b-9efca8d6e972
Result
Threat name:
Cryptbot DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805057
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Schedule system process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BatToExe compiled binary
Yara detected Cryptbot
Yara detected DCRat
Yara detected Evader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 437468 Sample: dhz7CHgHBx.exe Startdate: 21/06/2021 Architecture: WINDOWS Score: 100 126 ZylEhAjiTtdFkGDDlTpZL.ZylEhAjiTtdFkGDDlTpZL 2->126 128 ipinfo.io 2->128 176 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->176 178 Multi AV Scanner detection for domain / URL 2->178 180 Found malware configuration 2->180 182 20 other signatures 2->182 15 dhz7CHgHBx.exe 36 2->15         started        20 explorer.exe 2->20         started        22 Garbage Cleaner.exe 2->22         started        signatures3 process4 dnsIp5 142 iplogger.org 88.99.66.31, 443, 49745, 49746 HETZNER-ASDE Germany 15->142 144 nailedpizza.top 34.86.17.174, 49742, 49744, 49752 GOOGLEUS United States 15->144 146 3 other IPs or domains 15->146 96 C:\Users\user\AppData\...\76655373988.exe, PE32 15->96 dropped 98 C:\Users\user\AppData\...\70904015437.exe, PE32 15->98 dropped 100 C:\Users\user\AppData\...\66562839361.exe, PE32 15->100 dropped 102 10 other files (6 malicious) 15->102 dropped 152 Detected unpacking (changes PE section rights) 15->152 154 Detected unpacking (overwrites its own PE header) 15->154 156 May check the online IP address of the machine 15->156 24 cmd.exe 1 15->24         started        26 cmd.exe 15->26         started        28 cmd.exe 1 15->28         started        30 2 other processes 15->30 158 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->158 file6 signatures7 process8 process9 32 66562839361.exe 9 24->32         started        36 conhost.exe 24->36         started        38 76655373988.exe 26->38         started        41 conhost.exe 26->41         started        43 70904015437.exe 28->43         started        45 conhost.exe 28->45         started        47 Garbage Cleaner.exe 30->47         started        49 conhost.exe 30->49         started        51 2 other processes 30->51 dnsIp10 104 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 32->104 dropped 160 Detected unpacking (overwrites its own PE header) 32->160 162 Machine Learning detection for dropped file 32->162 53 cmd.exe 3 32->53         started        164 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->164 130 nailedpizza.top 38->130 132 iplogger.org 38->132 166 Detected unpacking (changes PE section rights) 38->166 168 May check the online IP address of the machine 38->168 170 Creates HTML files with .exe extension (expired dropper behavior) 38->170 172 Sample or dropped binary is a compiled AutoHotkey binary 38->172 134 morgon07.top 209.97.130.151, 49758, 80 DIGITALOCEAN-ASNUS United States 43->134 136 kiykae72.top 35.237.210.194, 49757, 80 GOOGLEUS United States 43->136 138 peomyn10.top 43->138 106 C:\Users\user\AppData\Local\Temp\pyxnbv.exe, PE32 43->106 dropped 174 Tries to harvest and steal browser information (history, passwords, etc) 43->174 140 iplogger.org 47->140 file11 signatures12 process13 process14 55 123.exe 6 53->55         started        59 DCRatBuild.exe 3 6 53->59         started        61 extd.exe 1 53->61         started        63 4 other processes 53->63 dnsIp15 108 C:\...\fontreviewintorefdriverHostCommon.exe, PE32 55->108 dropped 186 Machine Learning detection for dropped file 55->186 66 wscript.exe 55->66         started        110 C:\winsaves\sessionnet.exe, PE32 59->110 dropped 68 wscript.exe 1 59->68         started        188 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 61->188 148 cdn.discordapp.com 162.159.129.233, 443, 49731 CLOUDFLARENETUS United States 63->148 150 162.159.135.233, 443, 49738 CLOUDFLARENETUS United States 63->150 112 C:\Users\user\AppData\...\DCRatBuild.exe, PE32 63->112 dropped 114 C:\Users\user\AppData\Local\Temp\...\123.exe, PE32 63->114 dropped file16 signatures17 process18 process19 70 cmd.exe 66->70         started        72 cmd.exe 68->72         started        process20 74 fontreviewintorefdriverHostCommon.exe 70->74         started        78 conhost.exe 70->78         started        80 sessionnet.exe 72->80         started        83 conhost.exe 72->83         started        dnsIp21 116 C:\Windows\write\explorer.exe, PE32 74->116 dropped 118 C:\Windows\System32\wbem\...\WmiPrvSE.exe, PE32 74->118 dropped 120 C:\Windows\System32\dataclen\conhost.exe, PE32 74->120 dropped 122 2 other malicious files 74->122 dropped 190 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 74->190 192 Drops executables to the windows directory (C:\Windows) and starts them 74->192 194 Uses schtasks.exe or at.exe to add and modify task schedules 74->194 196 2 other signatures 74->196 85 RuntimeBroker.exe 74->85         started        88 schtasks.exe 74->88         started        90 schtasks.exe 74->90         started        92 3 other processes 74->92 124 185.43.4.137, 80 THEFIRST-ASRU Russian Federation 80->124 file22 signatures23 process24 signatures25 184 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 85->184 94 conhost.exe 88->94         started        process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/449654a262bba321b2942a1d3a8e2f651144d4cf02b26aaaa396b8216ee6a67c/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 19:17:35 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=islfjitcxorsdmuufiotvdrpmuiujvgpakzgvkvds24cc3xguz6a._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:dcrat family:vidar discovery infostealer rat spyware stealer upx
Link:
https://tria.ge/reports/210621-ln65qe8q5j/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
DCRat Payload
Vidar Stealer
CryptBot
CryptBot Payload
DcRat
Vidar
Malware Config
C2 Extraction:
kiykae72.top
morgon07.top
Unpacked files
SH256 hash:
e4f608a0e2d25ed37aa303e69c3b39236c0280914c9bf21933fc60a618fddc50
MD5 hash:
6aca72ccc351bd2719694abe3c66883f
SHA1 hash:
ae3ebd16f20d9b3753690b8901a277415d4a7146
Link:
https://www.unpac.me/results/8579763a-bd10-4e36-8a4f-e1fd6798155c/
SH256 hash:
449654a262bba321b2942a1d3a8e2f651144d4cf02b26aaaa396b8216ee6a67c
MD5 hash:
a72f7115018d6d23bf8cfbaa34f1b418
SHA1 hash:
4d80ed32d6a7a8c84c5342a6ce162abab9b05f3a
Link:
https://www.unpac.me/results/8579763a-bd10-4e36-8a4f-e1fd6798155c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/449654a262bba321b2942a1d3a8e2f651144d4cf02b26aaaa396b8216ee6a67c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments