MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 12


Intelligence 12 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004
SHA3-384 hash: 4a702214bf67c759e7a2be1b38671039a923838702fc72c58c4e5677f9b607edc577a43ba0195e98d31f695435900ba2
SHA1 hash: defb184aaa4eaacd51a9612048a52bd9825b66ec
MD5 hash: f7b95569f9898370aea6f4b59b9e97fb
humanhash: lemon-berlin-april-nevada
File name:askar_loader.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:7'168 bytes
First seen:2021-06-02 19:41:48 UTC
Last seen:2021-06-02 20:48:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 96:SbCAUv1p0fixA/1v5LlP1KoQDez7H7DGBFFF5J0FZS8o77ThNzNt:gM1pw5LB1KN27bD0N0fSl771n
Threatray 850 similar samples on MalwareBazaar
TLSH 2CE1E909F7E84A32DDFB0A355CB3830247B5F309DA63DB9F64C6618A3D227448661771
Reporter James_inthe_box
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Askar Loader.exe
Verdict:
Malicious activity
Analysis date:
2021-05-30 16:50:44 UTC
Tags:
evasion trojan opendir loader rat redline stealer phishing danabot
Link:
https://app.any.run/tasks/6a4e6b79-b9c8-4f08-89cc-c8c57f1f54a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164205/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Connection attempt
Sending an HTTP POST request
Deleting a recently created file
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Forced shutdown of a system process
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/796247
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-31 15:55:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbgsdkj2xcgnzhilmcphg5tkcpszlfse5m24ppcpvclhg6eemaca._file
Verdict:
malicious
Similar samples:
04361291bf3ae8acd73f886bf5cab71fa35097256e12c0bb1b2360d4603a40e7
CryptBot
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
CryptBot
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
CryptBot
6a966d8a8bc18b016f35a159c110eb8dd5527b83e39db5fa7300e4634c9cb096
CryptBot
7d2aa440d1865ca2262908dbb3102194d0fd77117b2b3ea0af9de8cc21d1e394
CryptBot
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
CryptBot
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
CryptBot
e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808
CryptBot
ea50cc254fa1cc865d19d13bbdf206dc69092d6f723cb56a3843d74ba83e64a0
CryptBot
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
CryptBot
+ 840 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:glupteba family:metasploit family:plugx family:raccoon family:redline family:smokeloader botnet:1_06_ruz botnet:3 botnet:first botnet:newbestbuild botnet:sel4 botnet:servjason backdoor banker discovery dropper infostealer loader spyware stealer trojan
Link:
https://tria.ge/reports/210602-xcm79zye2x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Glupteba
Glupteba Payload
MetaSploit
PlugX
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
157.90.145.89:45614
157.90.251.148:59839
quropaloar.xyz:80
185.244.181.187:59417
ergerge.top:80
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_AHK_Downloader
Create hunting rule
Author:ditekSHen
Description:Detects AutoHotKey binaries acting as second stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_RedLineDropperAHK
Create hunting rule
Author:ditekSHen
Description:Detects AutoIt/AutoHotKey executables dropping RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/164205/

Comments