MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854
SHA3-384 hash: c4063f8b1a36e429d195f003ef9440c7152c9829c9fae506b16c074e8af108290f38df248783ababdf4cf46c329e0423
SHA1 hash: f738f6a5f1b6ec1b90289b4ab02b8b44d5f54c0a
MD5 hash: c06a3a89d83eced416d931b07081b66e
humanhash: mirror-august-indigo-one
File name:c06a3a89d83eced416d931b07081b66e.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'291'098 bytes
First seen:2021-03-27 07:17:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:YC0119qqQRvJVAxTPnTmpoRMJtMVfH0eXoKrp2VOVPC4l5VxR:b0H9JkzcnapGMJyfUeXo3qb3R
Threatray 85 similar samples on MalwareBazaar
TLSH ACB533C95E6EE52ACC4692B59EB5E8D341A63C30BC60ED67A7321ECF7D135011831BA3
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PTC-Mathcad-Prime-60-Full-Crack-Latest-Version-Free-Download-2021_784abbcb500086569f750e.zip
Verdict:
Malicious activity
Analysis date:
2021-03-26 22:41:58 UTC
Tags:
autoit stealer trojan loader evasion
Link:
https://app.any.run/tasks/8cd4f35f-4c95-453b-b6c8-088318cd4ca0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127247/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b26b2ca-34bd-4024-8fb6-441aaa23787b
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655805
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Svchost Process
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376839 Sample: 1k2RZQrqkh.exe Startdate: 27/03/2021 Architecture: WINDOWS Score: 100 93 Multi AV Scanner detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Detected unpacking (changes PE section rights) 2->97 99 7 other signatures 2->99 11 1k2RZQrqkh.exe 20 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 73 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->79 dropped 18 6.exe 7 11->18         started        20 vpn.exe 7 11->20         started        22 4.exe 4 11->22         started        process5 file6 25 cmd.exe 1 18->25         started        28 svchost.exe 18->28         started        30 cmd.exe 1 20->30         started        32 svchost.exe 20->32         started        69 C:\Users\user\AppData\...\SmartClock.exe, PE32 22->69 dropped 34 SmartClock.exe 22->34         started        process7 signatures8 111 Submitted sample is a known malware sample 25->111 113 Obfuscated command line found 25->113 115 Uses ping.exe to sleep 25->115 117 Uses ping.exe to check the status of other devices and networks 25->117 36 cmd.exe 3 25->36         started        39 conhost.exe 25->39         started        41 cmd.exe 3 30->41         started        43 conhost.exe 30->43         started        process9 signatures10 45 PING.EXE 1 36->45         started        48 Violenza.exe.com 36->48         started        50 findstr.exe 1 36->50         started        105 Obfuscated command line found 41->105 107 Uses ping.exe to sleep 41->107 52 Far.exe.com 41->52         started        55 findstr.exe 1 41->55         started        58 PING.EXE 41->58         started        process11 dnsIp12 89 127.0.0.1 unknown unknown 45->89 60 Violenza.exe.com 48->60         started        109 May check the online IP address of the machine 52->109 63 Far.exe.com 52->63         started        71 C:\Users\user\AppData\Roaming\...\Far.exe.com, Targa 55->71 dropped 91 192.168.2.1 unknown unknown 58->91 file13 signatures14 process15 dnsIp16 83 ecNsSgYNlzlshYgUBmeER.ecNsSgYNlzlshYgUBmeER 60->83 85 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 63->85 87 bBPDoAktvaMpCERFeCMqlmhJOgL.bBPDoAktvaMpCERFeCMqlmhJOgL 63->87 65 wscript.exe 63->65         started        process17 dnsIp18 81 iplogger.org 88.99.66.31, 443, 49719 HETZNER-ASDE Germany 65->81 101 System process connects to network (likely due to code injection or exploit) 65->101 103 May check the online IP address of the machine 65->103 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 19:17:27 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oq7zez4nfgsthc33e5rcnmgy6yduswe7dmixrh2awkjnj4wopbka._file
Verdict:
malicious
Similar samples:
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812
CryptBot
1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
CryptBot
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
CryptBot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
CryptBot
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
CryptBot
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
CryptBot
9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b
CryptBot
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
CryptBot
b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
CryptBot
bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
CryptBot
+ 75 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210327-chlet6jyz2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
a56d515897f4d9d336602a1809949629f0e79e1fa0d55154b3b1121fb6138085
MD5 hash:
b3d3f51c4249eeaa7d5245ea4f8c7460
SHA1 hash:
2a3627e3aeeab195eec76c2a65394d178c954f9f
Link:
https://www.unpac.me/results/39b07837-4418-475e-8253-2ddbf1383c4a/
SH256 hash:
70aad9b1eaee136651bca2e45491e49628e3a1ca7400dc2edaa72a8365bad042
MD5 hash:
85ea9bf537f3b2d01b1b935d0f75337d
SHA1 hash:
f79c426cb4f91a8a909ad0ca91a6c69713894ef3
Link:
https://www.unpac.me/results/39b07837-4418-475e-8253-2ddbf1383c4a/
SH256 hash:
a2d895a4a913cca917982d54435fe945d9095dbf70baf71f479da6deb72daac7
MD5 hash:
79e8d546a0c8b9fe71550a1b9a2168df
SHA1 hash:
d06b7af30592aefb1e840e87cba298bdfb36761d
Link:
https://www.unpac.me/results/39b07837-4418-475e-8253-2ddbf1383c4a/
SH256 hash:
743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854
MD5 hash:
c06a3a89d83eced416d931b07081b66e
SHA1 hash:
f738f6a5f1b6ec1b90289b4ab02b8b44d5f54c0a
Link:
https://www.unpac.me/results/39b07837-4418-475e-8253-2ddbf1383c4a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1093092/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127247/

Comments