MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605
SHA3-384 hash: 64f9adc2d681e01026125d5e8aae8a4361cf661db1b3911c53a57ea45963491618197809cdb6919984980bff7f6c100e
SHA1 hash: ae312df78a6eeecc0fa90ed8d1e6a717b7ef4262
MD5 hash: 6ffb9cf7aac379e11b55f43921a93118
humanhash: iowa-seven-california-alabama
File name:6ffb9cf7aac379e11b55f43921a93118.exe
Download: download sample
Signature Cryptbot
Create hunting rule
File size:1'796'460 bytes
First seen:2021-07-15 09:40:52 UTC
Last seen:2021-07-15 11:21:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e04eb610508ddb951732064297e50b65 (6 x CryptBot)
ssdeep 49152:X1naABhJLh21Cgv8XPdZgjswOIAnuKs2Ear:X11JQ1CgvMd68nuKQar
Threatray 314 similar samples on MalwareBazaar
TLSH T1BD85BC01E697936AC2A7F3FDB91DF6345565AC3F032001CB33B4FEC669E09906A25632
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ffb9cf7aac379e11b55f43921a93118.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 10:05:42 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/64047aca-60ae-458f-aa72-dd2c169c0637

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Terse
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171930/
Detection(s):
SecuriteInfo.com.Variant.Graftor.978515.10576.20775.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d533a918-1ac8-4ad6-8172-3e7590894e3d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/816825
Signature
Contains functionality to register a low level keyboard hook
Found many strings related to Crypto-Wallets (likely being stolen)
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449235 Sample: YYK886IH7Z.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 60 36 Found many strings related to Crypto-Wallets (likely being stolen) 2->36 9 YYK886IH7Z.exe 7 2->9         started        process3 signatures4 38 Contains functionality to register a low level keyboard hook 9->38 12 cmd.exe 1 9->12         started        process5 signatures6 40 Submitted sample is a known malware sample 12->40 42 Obfuscated command line found 12->42 44 Uses ping.exe to sleep 12->44 46 Uses ping.exe to check the status of other devices and networks 12->46 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 48 Obfuscated command line found 15->48 50 Uses ping.exe to sleep 15->50 20 PING.EXE 1 15->20         started        23 Certe.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 32 192.168.2.1 unknown unknown 20->32 27 Certe.exe.com 23->27         started        process11 dnsIp12 34 cIymuknYDYAeNlatDP.cIymuknYDYAeNlatDP 27->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 09:41:08 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kt3zc6lcgh3ythlvh4f2itttq67xosg4piuk3pji6idhzgvyqycq._file
Verdict:
malicious
Similar samples:
12f0a80b6374b38a3997a7ef4528f26ccbca664b26e48533e7d1f36c78da76f4
Cryptbot
473574ab9286caa551c88e2a3ac32e8b7975baac765bf084fd8c6ccb89737666
Cryptbot
4bc74f0c9c8b45502fa4989b3e25808db909cf5239034951b6ab343d90678470
Cryptbot
719cf0c9eba47af19500753dc4213f551efdc09f13e2c71ef0e39b08a7aca888
Cryptbot
743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854
Cryptbot
7e19416205cfb8e056d4628bdeb635e29cefba04fcb21ee55e7b0077427e4c99
Cryptbot
97d497e3e5e60db871dfde169070847b7067fcd409f9dbed19584c3b64ac9ac9
Cryptbot
9e7dfceb92306a6a5f8317840bd2614130973d14c04a88e4bf5a755b583e4ccb
Cryptbot
af8df57ba3941ed8fa89543e4e98f2da5dfe7a0efaaa72aaca4c54ea9f5ccc58
Cryptbot
c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb
Cryptbot
+ 304 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210715-84hqeyzyy6/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
f10eaff1a6e7bcf03cccecc19a2696f76f5a685a0c5bbd6dfbc2d47838c2ffce
MD5 hash:
422be91874980bc78f5cef4c58b98933
SHA1 hash:
146b01a20a1a2f4a667c14c0b0f82c1c0012a84e
Link:
https://www.unpac.me/results/135f7b6e-baaf-4772-b8ec-d40648ff6ea6/
SH256 hash:
54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605
MD5 hash:
6ffb9cf7aac379e11b55f43921a93118
SHA1 hash:
ae312df78a6eeecc0fa90ed8d1e6a717b7ef4262
Link:
https://www.unpac.me/results/135f7b6e-baaf-4772-b8ec-d40648ff6ea6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cryptbot

Executable exe 54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393651/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171930/

Comments