MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 542a06a554ad5e9acfece719248d219215e7376338b1b55dd98eb94a169dd800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 542a06a554ad5e9acfece719248d219215e7376338b1b55dd98eb94a169dd800
SHA3-384 hash: 8795323cc93f0957f98535598ffdec22a298dc0d18a535e638fa039831fe9ab7c8d803e723b421dcd40a9a58937d08c1
SHA1 hash: 6ba845131cf00aefe62c009bdf402b20e3bc0099
MD5 hash: 6923d9c8ccf491d2b970c2dadd0d2617
humanhash: timing-sink-sink-winter
File name:6923D9C8CCF491D2B970C2DADD0D2617.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:3'594'093 bytes
First seen:2021-05-14 20:40:36 UTC
Last seen:2021-05-14 21:01:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:jZxT/mBSbvKRq4v+CV64DBZ41pkDEjRaYq/9w5m19Yr:jL/mgbvKRP+CV64DD41pkDtY++kS
Threatray 2 similar samples on MalwareBazaar
TLSH 7BF533979380C185EF84867CB5E6FB33B47F9DF019F1C61F97A2524D85788382D2A84A
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://morhza05.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morhza05.top/index.php https://threatfox.abuse.ch/ioc/42187/
68.168.126.114:45641 https://threatfox.abuse.ch/ioc/42251/

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-05-12 08:15:04 UTC
Tags:
evasion trojan stealer vidar rat redline
Link:
https://app.any.run/tasks/a48b99b2-a648-43cf-8849-fb04cd5d837c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Predatorthethief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/157141/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/782296
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 414692 Sample: L3T91myq6o.exe Startdate: 14/05/2021 Architecture: WINDOWS Score: 100 99 facebook.websmails.com 2->99 127 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->127 129 Multi AV Scanner detection for domain / URL 2->129 131 Found malware configuration 2->131 135 9 other signatures 2->135 11 L3T91myq6o.exe 19 2->11         started        signatures3 133 Performs DNS queries to domains with low reputation 99->133 process4 file5 49 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->49 dropped 51 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->51 dropped 53 C:\Users\user\AppData\Local\Temp\...53Act.dll, PE32 11->53 dropped 14 setup_installer.exe 16 11->14         started        process6 file7 73 C:\Users\user\AppData\...\setup_install.exe, PE32 14->73 dropped 75 C:\Users\user\AppData\Local\...\metina_8.exe, PE32 14->75 dropped 77 C:\Users\user\AppData\Local\...\metina_7.exe, PE32 14->77 dropped 79 11 other files (4 malicious) 14->79 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 95 estrix.xyz 104.21.57.186, 49716, 80 CLOUDFLARENETUS United States 17->95 97 127.0.0.1 unknown unknown 17->97 123 Detected unpacking (changes PE section rights) 17->123 125 Performs DNS queries to domains with low reputation 17->125 21 cmd.exe 1 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 17->25         started        27 8 other processes 17->27 signatures10 process11 process12 29 metina_1.exe 5 21->29         started        32 metina_3.exe 89 23->32         started        36 metina_8.exe 25->36         started        38 metina_2.exe 1 27->38         started        40 metina_7.exe 27->40         started        42 metina_5.exe 27->42         started        44 2 other processes 27->44 dnsIp13 55 C:\Users\user\AppData\Local\...\install.dll, PE32 29->55 dropped 46 rundll32.exe 29->46         started        87 2 other IPs or domains 32->87 67 12 other files (none is malicious) 32->67 dropped 101 Detected unpacking (changes PE section rights) 32->101 103 Detected unpacking (overwrites its own PE header) 32->103 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->105 121 4 other signatures 32->121 81 103.155.92.96 TWIDC-AS-APTWIDCLimitedHK unknown 36->81 83 101.99.90.200 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 36->83 89 14 other IPs or domains 36->89 57 C:\Users\...57mQerwKWsEcmWKVJ4MQtslrk.exe, PE32 36->57 dropped 59 C:\Users\...\mniu5ESSnA1kVoq9e5hPeJ0o.exe, PE32 36->59 dropped 69 15 other files (none is malicious) 36->69 dropped 107 Antivirus detection for dropped file 36->107 109 Performs DNS queries to domains with low reputation 36->109 111 Machine Learning detection for dropped file 36->111 61 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 38->61 dropped 113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->113 115 Renames NTDLL to bypass HIPS 38->115 117 Checks if the current machine is a virtual machine (disk enumeration) 38->117 91 2 other IPs or domains 40->91 119 May check the online IP address of the machine 40->119 93 3 other IPs or domains 42->93 63 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 42->63 dropped 65 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 42->65 dropped 85 172.67.145.48 CLOUDFLARENETUS United States 44->85 71 5 other files (none is malicious) 44->71 dropped file14 signatures15 process16 signatures17 137 Contains functionality to infect the boot sector 46->137 139 Contains functionality to inject threads in other processes 46->139 141 Contains functionality to inject code into remote processes 46->141 143 5 other signatures 46->143
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/542a06a554ad5e9acfece719248d219215e7376338b1b55dd98eb94a169dd800/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 05:03:02 UTC
AV detection:
23 of 44 (52.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqvanjkuvvpjvt7m44msjdjbsik6on3dhcy3kxozr24uufu53aaa._file
Verdict:
unknown
Similar samples:
6552cf64c39a8bd219e97300c065290e11394898334a02f916f58566e2fbc7d7
CryptBot
f1a553c411aaf180797dd27f75317ed6ab65e166c72845b913273d2bcae4f211
CryptBot
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:raccoon family:redline family:smokeloader family:vidar aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210514-k5z1m58ads/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
PlugX
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://khaleelahmed.com/upload/
http://twvickiassociation.com/upload/
http://www20833.com/upload/
http://cocinasintonterias.com/upload/
http://masaofukunaga.com/upload/
http://gnckids.com/upload/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/542a06a554ad5e9acfece719248d219215e7376338b1b55dd98eb94a169dd800

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157141/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-14 20:59:47 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [F0002.002] Collection::Polling
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0045] File System Micro-objective::Copy File
7) [C0046] File System Micro-objective::Create Directory
8) [C0048] File System Micro-objective::Delete Directory
9) [C0047] File System Micro-objective::Delete File
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0050] File System Micro-objective::Set File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [E1510] Impact::Clipboard Modification
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process