MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70b76fcb6175f3a6b2ea31d55732900a43a28c6510ff442d14bcfc10bd1ea28b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70b76fcb6175f3a6b2ea31d55732900a43a28c6510ff442d14bcfc10bd1ea28b
SHA3-384 hash: eea46b6873dcd5c4e5435948ca3c8d8eefcbbe654d84eda811a778ab23c7d0258d2d9e6b0e54eace3e15112150a2f744
SHA1 hash: 7770903f1efb33d01c319bd1cfa8f179d5edb5b9
MD5 hash: ff0efd8b2560085a03405d237425e94b
humanhash: carpet-fifteen-missouri-solar
File name:ff0efd8b2560085a03405d237425e94b.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'789'742 bytes
First seen:2021-06-10 04:56:11 UTC
Last seen:2021-06-10 05:36:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6544a94130ba48ef4970b72bf8d39186 (1 x CryptBot)
ssdeep 49152:TD3kRXrOOQqbrEmYSyTKvWxCBBQJEft/zI7jAHj/O:TD3kRXr+8rVcIiJEF/YMD/O
Threatray 195 similar samples on MalwareBazaar
TLSH 2A85332371D0D1F6D26242B57B22A4F466FCFA74464A150F77A40E0D6EF48A8C73E3A6
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://olmnmj26.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://olmnmj26.top/index.php https://threatfox.abuse.ch/ioc/85681/

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ff0efd8b2560085a03405d237425e94b.exe
Verdict:
Malicious activity
Analysis date:
2021-06-10 10:04:19 UTC
Tags:
autoit stealer trojan
Link:
https://app.any.run/tasks/fbfad161-fac4-4f54-8988-a85e131abef3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165741/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46449274.26012.27120.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Creating a file
Delayed reading of the file
Reading critical registry keys
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/799954
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432350 Sample: 60zGaKTmiw.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 4 other signatures 2->49 9 60zGaKTmiw.exe 7 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        14 dllhost.exe 9->14         started        signatures5 51 Submitted sample is a known malware sample 11->51 53 Obfuscated command line found 11->53 55 Uses ping.exe to sleep 11->55 57 Uses ping.exe to check the status of other devices and networks 11->57 16 cmd.exe 3 11->16         started        19 conhost.exe 11->19         started        process6 signatures7 39 Obfuscated command line found 16->39 41 Uses ping.exe to sleep 16->41 21 Promessa.exe.com 16->21         started        23 PING.EXE 1 16->23         started        26 findstr.exe 1 16->26         started        process8 dnsIp9 29 Promessa.exe.com 30 21->29         started        35 127.0.0.1 unknown unknown 23->35 33 C:\Users\user\AppData\...\Promessa.exe.com, Targa 26->33 dropped file10 process11 dnsIp12 37 aUBVxazQldWur.aUBVxazQldWur 29->37 59 Tries to harvest and steal browser information (history, passwords, etc) 29->59 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70b76fcb6175f3a6b2ea31d55732900a43a28c6510ff442d14bcfc10bd1ea28b/
Threat name:
Win32.PUA.7zip
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 08:25:24 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oc3w7s3boxz2nmxkghkvomuqbjb2fddfcd7uiliuxt6bbpi6ukfq._file
Verdict:
malicious
Similar samples:
17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e
CryptBot
3688577e500b07cc1818d4c994651f791659efbf8ef3ff88329f25c4f65aba24
CryptBot
497c07b12b4e7f9082b872ef2aac2e9619f1dbc82c94993724cd246dd54b38c4
CryptBot
549a131665d0230870272c99660fb149e3854345882d9bb76f1945cd0bf647d5
CryptBot
88b4dc586771eaca754612a6b980f435506220cb1bf9ff7a4b6ac3bcbe08b0f8
CryptBot
8a9ed010aa3db217f81dfa4d928863eef5cac1165dab6c03258948b8ef019435
CryptBot
8b8a48214f0d0d1a9e210e5f871cc5f608ccb48b6079ec4bcdd5538adbd8d8f2
CryptBot
c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4
CryptBot
f4d374479efa4ca4ac6893bcb791b1d2ed163ffb503a15c9ba1fa59b06509e3d
CryptBot
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
CryptBot
+ 185 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210610-qagr9z68ye/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
98585a4bdc8489638c28b9485c47ee83816d9d9c2bee15794ac84bb19302088a
MD5 hash:
cc8558066e22676d6b7d864614a41923
SHA1 hash:
92e60d6cfe5e7ee4ac5ffc0baa170db6e7ea33e9
Link:
https://www.unpac.me/results/b041b7e6-214f-4d4a-81a6-2389c830b9db/
SH256 hash:
ee7ee4ebb18d84b7e09fbd34de6585cef74cb787bc509b6eafd492da6e60a98a
MD5 hash:
acd3f7aaddce55495cdd70c79357198b
SHA1 hash:
e32c113912b20ef96d42d24e622774c890fe3687
Link:
https://www.unpac.me/results/b041b7e6-214f-4d4a-81a6-2389c830b9db/
SH256 hash:
70b76fcb6175f3a6b2ea31d55732900a43a28c6510ff442d14bcfc10bd1ea28b
MD5 hash:
ff0efd8b2560085a03405d237425e94b
SHA1 hash:
7770903f1efb33d01c319bd1cfa8f179d5edb5b9
Link:
https://www.unpac.me/results/b041b7e6-214f-4d4a-81a6-2389c830b9db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70b76fcb6175f3a6b2ea31d55732900a43a28c6510ff442d14bcfc10bd1ea28b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165741/

Comments