MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8
SHA3-384 hash: e591b8a7ee4b25d81c9c09c03a4b62cd19e1aec09d2347d521383538ac80536d9b86edc23b7c2d3af3c9f8403c59e57a
SHA1 hash: 08dfa30ef726c80d85e4d803b348a418cf0cadc1
MD5 hash: b5f49db3a9a421773d2eeade6f52bb33
humanhash: north-seven-oscar-apart
File name:b5f49db3a9a421773d2eeade6f52bb33
Download: download sample
Signature CryptBot
Create hunting rule
File size:260'608 bytes
First seen:2021-08-16 07:11:23 UTC
Last seen:2021-08-16 09:51:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bbd46beeb3d66413f1019ab26c173363 (1 x CryptBot, 1 x Smoke Loader)
ssdeep 6144:vRLAO5dsfvu4FmAejqCHa/RVSV2RVn+Jc/m/:vREO5r4kAEqJ5VSV2RP
TLSH T1E244E01C768F8072C38335344473DBAC4A79AF52EB63867B1B542A1E5F30EF1857628A
dhash icon 96f1ec9cf4dcf9a6 (1 x CryptBot)
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://crackdev.com/windows-10-activator-full-product-key/
Verdict:
Malicious activity
Analysis date:
2021-08-16 05:34:51 UTC
Tags:
trojan evasion stealer vidar loader rat redline opendir raccoon phishing danabot
Link:
https://app.any.run/tasks/02b4c0b2-0930-4bd6-a63e-cf3626ef08a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179437/
Detection(s):
SecuriteInfo.com.Variant.Jaik.47376.30297.25241.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a custom TCP request
Reading critical registry keys
Delayed reading of the file
Using the Windows Management Instrumentation requests
Searching for the window
Creating a window
Sending a UDP request
Sending an HTTP POST request
Stealing user critical data
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/925b0f13-229d-4f64-b8e8-77f7594e434e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833342
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465773 Sample: c9kC2vzMpL Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 4 other signatures 2->65 7 c9kC2vzMpL.exe 25 2->7         started        process3 dnsIp4 53 frekodi.top 7->53 55 damquf09.top 45.130.151.145, 49767, 49768, 49774 MARKTELRU Russian Federation 7->55 57 3 other IPs or domains 7->57 41 C:\Users\user\AppData\...\64508982956.exe, PE32 7->41 dropped 43 C:\Users\user\AppData\...\22933072336.exe, PE32 7->43 dropped 45 C:\Users\user\AppData\Local\...\null[1], PE32 7->45 dropped 47 3 other files (2 malicious) 7->47 dropped 77 May check the online IP address of the machine 7->77 12 cmd.exe 1 7->12         started        14 cmd.exe 7->14         started        16 WerFault.exe 9 7->16         started        19 7 other processes 7->19 file5 signatures6 process7 file8 21 22933072336.exe 12->21         started        25 conhost.exe 12->25         started        27 64508982956.exe 14->27         started        29 conhost.exe 14->29         started        31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->35 dropped 37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->37 dropped 39 4 other malicious files 19->39 dropped process9 dnsIp10 49 iplogger.org 88.99.66.31, 443, 49770, 49771 HETZNER-ASDE Germany 21->49 67 Multi AV Scanner detection for dropped file 21->67 69 Detected unpacking (changes PE section rights) 21->69 71 Detected unpacking (overwrites its own PE header) 21->71 73 May check the online IP address of the machine 21->73 51 192.168.2.1 unknown unknown 27->51 75 Tries to harvest and steal browser information (history, passwords, etc) 27->75 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-15 17:32:23 UTC
AV detection:
31 of 47 (65.96%)
Threat level:
  5/5
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210816-bev3721fz6/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
knuvfy12.top
morzku01.top
Unpacked files
SH256 hash:
22c1ea4283e3168bbbb68526690dbf7c3af7eedde583f1cf18cedb757888994a
MD5 hash:
7c238223f5364ed71912e284d8a06007
SHA1 hash:
22ce3fb2a9117239910c346b0ea562e7e4140fc1
Link:
https://www.unpac.me/results/88739429-d41a-4b58-8cae-d11c5a82f0bd/
SH256 hash:
5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8
MD5 hash:
b5f49db3a9a421773d2eeade6f52bb33
SHA1 hash:
08dfa30ef726c80d85e4d803b348a418cf0cadc1
Link:
https://www.unpac.me/results/88739429-d41a-4b58-8cae-d11c5a82f0bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1538308/
Cape
Cape
https://www.capesandbox.com/analysis/179437/

Comments


Avatar
zbet commented on 2021-08-16 07:11:24 UTC

url : hxxp://37.0.11.8/WW/fileT.exe