MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c5c4c2f8515fad74b9f0e99f00c0a08f44557d7b619a058bf2233bbf0968c60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c5c4c2f8515fad74b9f0e99f00c0a08f44557d7b619a058bf2233bbf0968c60
SHA3-384 hash: 6e61099747f9b4c519f8d6fd63dbbc75c482ac1060f903b3daa171c7b710c529c4543a9d84d7bf9f86138d8b30fa05c3
SHA1 hash: e02430f73a7f543565e13e4dbb8022dd3dc11524
MD5 hash: 555d61c4ac5b3c3726c8438ceb49c4e2
humanhash: video-rugby-iowa-november
File name:6c5c4c2f8515fad74b9f0e99f00c0a08f44557d7b619a.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:671'232 bytes
First seen:2021-07-03 04:50:23 UTC
Last seen:2021-07-03 05:36:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 372f389f6695b5e1ea358dd4c58300aa (2 x CryptBot, 1 x RaccoonStealer)
ssdeep 12288:jwn/qeN8rPwcuMWi6qcH4BLO22yEGVTLdqr3E/5dRXO/Fm:jyur8AUyjwE/jR+
TLSH 8EE41222B610C077C87341784D58D6A60A7B7C329BA98C4B7BB52B1D5E312C2F6BE357
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://xeieib52.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://xeieib52.top/index.php https://threatfox.abuse.ch/ioc/157138/
http://moraid05.top/index.php https://threatfox.abuse.ch/ioc/157139/

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7084966D9A406D1719DBB913004CE10D.exe
Verdict:
Malicious activity
Analysis date:
2021-07-02 20:57:47 UTC
Tags:
trojan loader rat redline stealer evasion
Link:
https://app.any.run/tasks/ed3709b4-0060-49d9-b350-0327361a06ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169439/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.21733.13092.10149.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf6aa800-b696-4a09-a25a-7cf0fb4a4c6b
Result
Threat name:
Clipboard Hijacker Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811316
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 443727 Sample: 6c5c4c2f8515fad74b9f0e99f00... Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 75 ip-api.com 2->75 93 Multi AV Scanner detection for domain / URL 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 15 other signatures 2->99 13 6c5c4c2f8515fad74b9f0e99f00c0a08f44557d7b619a.exe 48 2->13         started        18 SmartClock.exe 2->18         started        20 SmartClock.exe 2->20         started        signatures3 process4 dnsIp5 83 moraid05.top 178.62.84.251, 49728, 80 DIGITALOCEAN-ASNUS European Union 13->83 85 xeieib52.top 143.110.219.141, 49725, 80 COLLEGE-OF-ST-SCHOLASTICAUS United States 13->85 87 lopoga07.top 47.243.129.23, 49731, 49732, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 13->87 73 C:\Users\user\AppData\Local\...\xRbFEXG.exe, PE32 13->73 dropped 113 Detected unpacking (changes PE section rights) 13->113 115 Detected unpacking (overwrites its own PE header) 13->115 117 Tries to harvest and steal browser information (history, passwords, etc) 13->117 22 cmd.exe 1 13->22         started        25 cmd.exe 1 13->25         started        file6 signatures7 process8 signatures9 101 Submitted sample is a known malware sample 22->101 103 Obfuscated command line found 22->103 105 Uses ping.exe to sleep 22->105 107 Uses ping.exe to check the status of other devices and networks 22->107 27 xRbFEXG.exe 25 22->27         started        31 conhost.exe 22->31         started        33 conhost.exe 25->33         started        35 timeout.exe 1 25->35         started        process10 file11 65 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 27->65 dropped 67 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 27->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 27->69 dropped 71 3 other files (none is malicious) 27->71 dropped 109 Multi AV Scanner detection for dropped file 27->109 111 Machine Learning detection for dropped file 27->111 37 vpn.exe 7 27->37         started        39 4.exe 4 27->39         started        42 conhost.exe 31->42         started        signatures12 process13 file14 44 cmd.exe 1 37->44         started        63 C:\Users\user\AppData\...\SmartClock.exe, PE32 39->63 dropped 46 SmartClock.exe 39->46         started        process15 process16 48 cmd.exe 3 44->48         started        51 conhost.exe 44->51         started        signatures17 89 Obfuscated command line found 48->89 91 Uses ping.exe to sleep 48->91 53 Accompagna.exe.com 48->53         started        55 PING.EXE 48->55         started        58 findstr.exe 1 48->58         started        process18 dnsIp19 60 Accompagna.exe.com 53->60         started        77 127.0.0.1 unknown unknown 55->77 79 192.168.2.1 unknown unknown 55->79 process20 dnsIp21 81 WYEnXVSECgshKtHcubAXXu.WYEnXVSECgshKtHcubAXXu 60->81
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c5c4c2f8515fad74b9f0e99f00c0a08f44557d7b619a058bf2233bbf0968c60/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-07-02 21:41:31 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nroeyl4fcx5nos47b2m7adakbd2ekv6xwym2awf7eiz3x4ewrrqa._file
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210703-xgs9vl62vx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Malware Config
C2 Extraction:
xeieib52.top
moraid05.top
Unpacked files
SH256 hash:
37db2fe0dde9e67076422f6dfec4fc64fe2ed794ffb08788657ad0d415ee2239
MD5 hash:
5766f7a1279d07d2c600013c672f7fb4
SHA1 hash:
d468c7c3d3fa91f69a0f0645ddd823681b39bcd2
Link:
https://www.unpac.me/results/41ab3d8a-4c45-4891-a693-208c2df7baf1/
SH256 hash:
6c5c4c2f8515fad74b9f0e99f00c0a08f44557d7b619a058bf2233bbf0968c60
MD5 hash:
555d61c4ac5b3c3726c8438ceb49c4e2
SHA1 hash:
e02430f73a7f543565e13e4dbb8022dd3dc11524
Link:
https://www.unpac.me/results/41ab3d8a-4c45-4891-a693-208c2df7baf1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c5c4c2f8515fad74b9f0e99f00c0a08f44557d7b619a058bf2233bbf0968c60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169439/

Comments