MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d
SHA3-384 hash: 8584cd2b8c74876847c0f298a527eec830d9368656f824bb1cce0d76600fbbd23bd58a8334aafa4ba6f644df947a0d43
SHA1 hash: 4cf0c26459c732e1b334b8a2b4748161d922e657
MD5 hash: c0b4de4f711b7c28369d7a4018f94759
humanhash: virginia-delaware-mountain-venus
File name:file
Download: download sample
Signature CryptBot
Create hunting rule
File size:390'075 bytes
First seen:2022-10-18 05:18:41 UTC
Last seen:2022-10-19 17:05:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'505 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCykm+ksmpk3U9j0IidOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3yP6m6UR0IqlL//plmW9bTXeVhDrE
Threatray 910 similar samples on MalwareBazaar
TLSH T1EA841242F3E15439D073CEB06CA0E962493F79654DBC640836ECAD8F8F3B5829256797
TrID 75.1% (.EXE) Inno Setup installer (109740/4/30)
9.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:CryptBot exe


Avatar
andretavare5
Sample downloaded from https://eren.s3.pl-waw.scw.cloud/mikasa/Bolt.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://pefejo12.top/gate.php https://threatfox.abuse.ch/ioc/891835/

Intelligence

File Origin
# of uploads :
120
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://eren.s3.pl-waw.scw.cloud/mikasa/Bolt.exe
Verdict:
Malicious activity
Analysis date:
2022-10-07 19:03:39 UTC
Tags:
loader evasion trojan sinkhole
Link:
https://app.any.run/tasks/0ae0f719-fe7d-4b5d-b6fc-35c4f6813fa4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321198/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Connecting to a non-recommended domain
Sending a custom TCP request
Sending an HTTP POST request
Creating a file
Searching for the window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Adding an access-denied ACE
Launching cmd.exe command interpreter
Searching for the browser window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Moving a recently created file
Replacing files
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43566/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/634e374666721ebd9b2ef18b/reports/f5870147-7e37-4da1-9507-d795f8b4e0d6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a004948-3027-4265-ad86-06a7ebf34ca1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092427
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 725047 Sample: file.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 81 htagzdownload.pw 2->81 83 www.profitabletrustednetwork.com 2->83 85 12 other IPs or domains 2->85 113 Snort IDS alert for network traffic 2->113 115 Multi AV Scanner detection for domain / URL 2->115 117 Antivirus detection for URL or domain 2->117 119 8 other signatures 2->119 11 file.exe 2 2->11         started        15 Balolaecaebi.exe 2->15         started        18 Balolaecaebi.exe 2->18         started        signatures3 process4 dnsIp5 79 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 11->79 dropped 129 Obfuscated command line found 11->129 20 file.tmp 3 19 11->20         started        107 s3.pl-waw.scw.cloud 15->107 109 uchiha.s3.pl-waw.scw.cloud 15->109 111 2 other IPs or domains 15->111 file6 signatures7 process8 dnsIp9 87 s3.pl-waw.scw.cloud 151.115.10.1, 443, 49715, 49720 OnlineSASFR United Kingdom 20->87 89 perona.s3.pl-waw.scw.cloud 20->89 63 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 20->63 dropped 65 C:\Users\user\AppData\Local\...\PowerOff.exe, PE32 20->65 dropped 67 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->67 dropped 69 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->69 dropped 24 PowerOff.exe 22 18 20->24         started        file10 process11 dnsIp12 93 s3.pl-waw.scw.cloud 24->93 95 connectini.net 37.230.138.123, 443, 49716, 49749 ROCKETTELECOM-ASRU Russian Federation 24->95 97 5 other IPs or domains 24->97 71 C:\Users\user\AppData\...\Dagigohepa.exe, PE32 24->71 dropped 73 C:\Users\user\AppData\...\Dagigohepa.exe, PE32 24->73 dropped 75 C:\Program Files (x86)\...\Balolaecaebi.exe, PE32 24->75 dropped 77 2 other malicious files 24->77 dropped 121 Antivirus detection for dropped file 24->121 123 Multi AV Scanner detection for dropped file 24->123 125 Machine Learning detection for dropped file 24->125 127 Drops executable to a common third party application directory 24->127 29 Dagigohepa.exe 14 17 24->29         started        33 Dagigohepa.exe 4 24->33         started        file13 signatures14 process15 dnsIp16 99 www.google.com 142.250.203.100, 49732, 80 GOOGLEUS United States 29->99 101 connectini.net 29->101 131 Antivirus detection for dropped file 29->131 133 Multi AV Scanner detection for dropped file 29->133 135 Machine Learning detection for dropped file 29->135 36 chrome.exe 29->36         started        39 chrome.exe 29->39         started        41 chrome.exe 29->41         started        43 28 other processes 29->43 103 google.com 172.217.168.14 GOOGLEUS United States 33->103 105 connectini.net 33->105 59 C:\Users\user\AppData\Local\...\gcleaner.exe, PE32 33->59 dropped 61 C:\Users\user\AppData\Local\...\random.exe, PE32 33->61 dropped file17 signatures18 process19 dnsIp20 91 192.168.2.1 unknown unknown 36->91 45 chrome.exe 36->45         started        47 chrome.exe 39->47         started        49 chrome.exe 41->49         started        51 chrome.exe 43->51         started        53 chrome.exe 43->53         started        55 chrome.exe 43->55         started        57 3 other processes 43->57 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 17:06:49 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=onxzmavrjwrsofvoamgftxyears57fpnjdewjmzuq3aewdxraawq._file
Verdict:
malicious
Similar samples:
40fcfc0be44750f5ecb9928b518155a67d7b89d2e93f1509d649ebe637f9689b
CryptBot
63581ae3a6484a00bb415bdc2105a1256fb9929a7cb3ef9bcce1b141bb99bf7f
CryptBot
711d8a94c429866e76447eb867f6408eb83b85d9bbea615084722e6055a9d939
CryptBot
7c23a4178b8fc14dedfd30b2b8fe462b4d936210bc64d6a14671b14a9387306a
CryptBot
82346f3a4b7e84f746f6242ff70265b1467ffdcd01954f71806f86c2989a9819
CryptBot
c59afb9bb8fad3568800ebdfd5fd07e35d3b77c3ce7316cda5fa1c37b924c4b8
CryptBot
de1ae614a8a926b44989594d2bd4615c14700e575662d7c4689789d6b228f79e
CryptBot
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
CryptBot
+ 900 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:nymaim family:raccoon botnet:3eb898957657df9f0625e29daa9c1704 discovery evasion persistence spyware stealer themida trojan upx vmprotect
Link:
https://tria.ge/reports/221018-fzvkeaefb4/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Unexpected DNS network traffic destination
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
NyMaim
Process spawned unexpected child process
Raccoon
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
45.15.156.54
85.31.46.167
[<
http://89.185.85.53/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4afc7289-540f-43a1-8210-5e054c887a8c
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/574e06cb-2e64-4580-b903-33a77d749a99/
SH256 hash:
8e6b60280ac9b713e7f080c78fde6f4245fc0a577c54bc94014d2cfb3eca97aa
MD5 hash:
0b9f7921b564fbe6ad0ada593de40188
SHA1 hash:
66667e4aedf8f1a235f0b2218e19982a8cd33191
Link:
https://www.unpac.me/results/574e06cb-2e64-4580-b903-33a77d749a99/
SH256 hash:
736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d
MD5 hash:
c0b4de4f711b7c28369d7a4018f94759
SHA1 hash:
4cf0c26459c732e1b334b8a2b4748161d922e657
Link:
https://www.unpac.me/results/574e06cb-2e64-4580-b903-33a77d749a99/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/321198/
  
URLhaus
https://urlhaus.abuse.ch/url/2376737/

Comments