MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74c868e9e721cd00dd2ef0c99dfc83de5e870015f937874c40fb6a6e0688f737. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74c868e9e721cd00dd2ef0c99dfc83de5e870015f937874c40fb6a6e0688f737
SHA3-384 hash: 82e55552dbeb79a917b30f902ab8cd27fe524b028e6918dea4b63c3935890972200df8c97bb8c5632ecbdf0350fb45b4
SHA1 hash: 951a17817a3f1dc5e018eac44f6b50f86ccd7353
MD5 hash: 89df85ad24244ee7b1962cb126748c2d
humanhash: early-winner-sixteen-washington
File name:library
Download: download sample
Signature CryptBot
Create hunting rule
File size:3'615'232 bytes
First seen:2022-11-11 06:20:34 UTC
Last seen:2022-11-11 07:48:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20b0f18ad702a466755b6737362335a6 (1 x CryptBot)
ssdeep 49152:H3rvTR9+OTs2vYBcwHoTlBbAgc+p81dZmsZAh2LBUeXZ7CDiAJEOa8kWfW2gUIAO:XR9+MQDJ+AdZHigUqZ7CDiAl0A
Threatray 12 similar samples on MalwareBazaar
TLSH T1D6F5AF1D7EB8F69A9B39B2BD0DC340B22C49688551BF9E40482D5F25106C1E1BBBBF1D
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b282a88e8eaab692 (26 x CryptBot, 2 x RedLineStealer)
Reporter JAMESWT_WT
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
ficker
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-10 19:33:32 UTC
Tags:
installer evasion trojan ficker stealer loader vidar
Link:
https://app.any.run/tasks/4fd3d8f8-536e-4691-8664-83c59737f204

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332279/
Detection(s):
SecuriteInfo.com.Variant.Lazy.253883.29093.4747.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Creating a window
Creating a file in the %temp% directory
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/636de9d382dd9f2e26537ea4/reports/d9a47c15-ba27-40ec-96f2-682575b0f42c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/572533c3-b941-4dea-8213-a7f06916cc49
Result
Threat name:
CryptbotV2
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1111033
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found C&C like URL pattern
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Yara detected CryptbotV2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743729 Sample: library.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 84 27 Snort IDS alert for network traffic 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 3 other signatures 2->33 7 library.exe 72 2->7         started        process3 dnsIp4 21 jaczjs42.top 5.188.42.115, 49699, 80 SELECTELRU Russian Federation 7->21 23 coavas05.top 140.99.31.18, 49700, 80 REMOTE-SUB-SERVICES-01US United States 7->23 25 192.168.2.1 unknown unknown 7->25 35 Self deletion via cmd or bat file 7->35 11 cmd.exe 1 7->11         started        13 cmd.exe 2 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started        17 timeout.exe 1 11->17         started        19 conhost.exe 13->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74c868e9e721cd00dd2ef0c99dfc83de5e870015f937874c40fb6a6e0688f737/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 21:23:51 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otegr2phehgqbxjo6dez37ed3zpioaav7e3yotca7nvg4bui643q._file
Verdict:
malicious
Similar samples:
0eae88088ee12fbbbffeaad58ce925cb599a38ca839a49f5a91c948fe5fa2686
CryptBot
29842f71bd503e86896ae4b274aa21a0eaa67144ad83e2df89072ea8e8458fd0
CryptBot
6287dc709cd7b990a32615d9d8ccff3d2e1de1ef375662c771b165801ae6b191
CryptBot
83303bd8432e42ddbc86aa5f2fba7b07ded48ef47ec39d42f62b410081b14090
CryptBot
c99d58fd025a25f09226d6201f7cd16d487e5d0dbe264394438049d3bb5f083c
CryptBot
f1d76f93fe7eee3f845d8b849054d5f268616734c10c941977c5b3e3017a295c
CryptBot
+ 2 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/221111-g4b5asbgbr/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
CryptBot
Malware Config
C2 Extraction:
http://jaczjs42.top/gate.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/badf6c96-2547-430f-a886-a62c3771bae2
Unpacked files
SH256 hash:
f8a324f5602a98242aec8f96986f8df7158d07749de199df7d0cdc8c6015c605
MD5 hash:
52023ad4de8704905f3e6f5a1d6b0c8e
SHA1 hash:
bd6de49072e7fb92671a2bc1f0273d066a0b32b9
Link:
https://www.unpac.me/results/76a7611a-e4d7-4c47-8fa8-97256711d577/
SH256 hash:
74c868e9e721cd00dd2ef0c99dfc83de5e870015f937874c40fb6a6e0688f737
MD5 hash:
89df85ad24244ee7b1962cb126748c2d
SHA1 hash:
951a17817a3f1dc5e018eac44f6b50f86ccd7353
Link:
https://www.unpac.me/results/76a7611a-e4d7-4c47-8fa8-97256711d577/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74c868e9e721/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74c868e9e721cd00dd2ef0c99dfc83de5e870015f937874c40fb6a6e0688f737

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/332279/

Comments