MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ff2318912c569e33755a075f32491a9691a8dbcee404b0e5f8ea04910917e94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ff2318912c569e33755a075f32491a9691a8dbcee404b0e5f8ea04910917e94
SHA3-384 hash: 92e1a2eeb269a5931a0dd0b14091c95cd2aa6113951e16400b965600309885712a92499c53c7c37a52051495eb09b299
SHA1 hash: b8ef67d35f94738ce9fded556a1fcaa3ad549b40
MD5 hash: 7f5662e57eb8fc4e5be9d397ce778fc9
humanhash: leopard-hamper-oven-georgia
File name:7f5662e57eb8fc4e5be9d397ce778fc9.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'582'528 bytes
First seen:2022-09-17 07:40:26 UTC
Last seen:2022-09-17 09:25:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ddccc155b1fdc537a66884e418ebef90 (8 x CryptBot)
ssdeep 24576:snyiktb4xvPi38kfanMWEoxZCkFzdAf5zCIrgLPs3TvrmnL+E6YfipDumkJBpECJ:sSz/SlAApfDnf95lpay7
Threatray 14'391 similar samples on MalwareBazaar
TLSH T112C5C4A339738AF697885F7090D468B81C44C2371C10A57D794492FCDABA3FA42EEE75
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b282a88e8eaab692 (26 x CryptBot, 2 x RedLineStealer)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-16 19:46:00 UTC
Tags:
loader trojan stealer opendir raccoon recordbreaker ransomware stop
Link:
https://app.any.run/tasks/5f690e81-3e99-43f3-ab52-649be1b01bd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310887/
Detection(s):
SecuriteInfo.com.Variant.Ser.Lazy.1626.11290.29131.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Reading critical registry keys
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Searching for analyzing tools
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63257a96668068d3ba36f0d8/reports/dc6fad6f-f928-4d46-a408-e676eabc37e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09be01c6-92ca-4a35-ab7f-f58845088aa3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072177
Signature
Found C&C like URL pattern
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 704719 Sample: ZpikGO9mvc.exe Startdate: 17/09/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 5 other signatures 2->44 8 ZpikGO9mvc.exe 46 2->8         started        process3 dnsIp4 34 ulaseb52.top 185.231.155.3, 49702, 80 VDSINA-ASRU Russian Federation 8->34 36 rilgcu07.top 95.161.129.117, 49705, 80 TIERA-ASRU Russian Federation 8->36 32 C:\Users\user\AppData\Roaming\...\desmid.exe, PE32 8->32 dropped 54 Self deletion via cmd or bat file 8->54 56 Tries to harvest and steal browser information (history, passwords, etc) 8->56 13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        file5 signatures6 process7 process8 17 desmid.exe 7 13->17         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 timeout.exe 1 15->25         started        file9 30 C:\Users\user\AppData\...\DpEditor.exe, PE32 17->30 dropped 46 Multi AV Scanner detection for dropped file 17->46 48 Query firmware table information (likely to detect VMs) 17->48 50 Hides threads from debuggers 17->50 52 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->52 27 DpEditor.exe 17->27         started        signatures10 process11 signatures12 58 Query firmware table information (likely to detect VMs) 27->58 60 Hides threads from debuggers 27->60 62 Tries to detect sandboxes / dynamic malware analysis system (registry check) 27->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ff2318912c569e33755a075f32491a9691a8dbcee404b0e5f8ea04910917e94/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2022-09-16 22:57:29 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7zddcisyvu6gn2vub27gjervfurvdn45zaewds7r2qeseerp2ka._file
Verdict:
malicious
Similar samples:
151fb5746b08b95408b92e08f4bbeac8c4a1a3fc3ad6f43d237357f10476b33f
CryptBot
4b0c9687e2404152643dbac78f4adfd8350095b9d465cb64b60de1ff70d3e651
CryptBot
4d68f6c2e2749ddd3efe5802b9818ac3c183d6a8ef3613199a7678a83000c112
CryptBot
5a2ebb201e3f9c619ad23b0043136c4aca5849f345733c68b9647d102b52b4ff
CryptBot
69870e2a61815839fdc55f251a07c89580dc6c1725f850288c4dc190c08b7175
CryptBot
917e03484856f0980f2150822a231e0f73e3cef3f074ea1644dcbd1082590399
CryptBot
96cf18e2a423b74f89f810553f9b4ba3859bd2f71172facfc8911c6cf6221881
CryptBot
bd06c34a413a4ca8e49ec57f8ea6f52f69eb16c4fce86db93761c4da50c94edc
CryptBot
daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610
CryptBot
efa703564bbcbeec3b16a05e516957c6a54814a80348d06ff896ec74e51e60c8
CryptBot
+ 14'381 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220917-jh4zasdcfq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a3f82efa-a626-4891-8572-b34121085b4d
Unpacked files
SH256 hash:
2971bcc54d68d5c4528bbc57a0eb13659b95cd6a63dde41d447c7ae6938ebdeb
MD5 hash:
92b6b7e65120e6d7eb0fc2ac65a7607f
SHA1 hash:
12af92936177152a7d619a310ba1559699729568
Link:
https://www.unpac.me/results/76c452a3-31e4-41f8-802c-91cadea1dba4/
SH256 hash:
6ff2318912c569e33755a075f32491a9691a8dbcee404b0e5f8ea04910917e94
MD5 hash:
7f5662e57eb8fc4e5be9d397ce778fc9
SHA1 hash:
b8ef67d35f94738ce9fded556a1fcaa3ad549b40
Link:
https://www.unpac.me/results/76c452a3-31e4-41f8-802c-91cadea1dba4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ff2318912c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ff2318912c569e33755a075f32491a9691a8dbcee404b0e5f8ea04910917e94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 6ff2318912c569e33755a075f32491a9691a8dbcee404b0e5f8ea04910917e94

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2305341/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/310887/

Comments