MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77737e20aae412cf69ac696fe6b69e744dedf353202371955944819ff6029204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77737e20aae412cf69ac696fe6b69e744dedf353202371955944819ff6029204
SHA3-384 hash: 0343794bde0a28acf032bd55d56c8946db9a08a9dd274089586dd7a519fd67fd12126e83ed9f234d7f674255aace9544
SHA1 hash: a2f5a61703b4aa1787327a3e6667dab585967080
MD5 hash: 07fb8a0df8f52cabe8a2358cd56f10cf
humanhash: sixteen-lima-uniform-idaho
File name:07fb8a0df8f52cabe8a2358cd56f10cf.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'876'666 bytes
First seen:2021-06-08 07:07:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97ae071900480747f111dc72f77ef2b1 (3 x CryptBot)
ssdeep 49152:4nsDtTH8bt/Kaujw8ypjqw+jaQ9x3NOBCxNMwZs:4n8twp0ij7i99xdhDZs
Threatray 135 similar samples on MalwareBazaar
TLSH 8B9523127AE0D87BE2750731CA04BEBB5EB5F6212B6042C7D7C0294E9F36BC59B34646
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://moryce07.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://moryce07.top/index.php https://threatfox.abuse.ch/ioc/67614/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07fb8a0df8f52cabe8a2358cd56f10cf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-08 08:20:49 UTC
Tags:
autoit stealer
Link:
https://app.any.run/tasks/30148335-56e2-478c-9ade-9ca86851f361

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165190/
Detection(s):
Win.Malware.Generic-9865508-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798632
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431032 Sample: 84rQUVDa40.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 9 84rQUVDa40.exe 7 2->9         started        process3 signatures4 42 Contains functionality to register a low level keyboard hook 9->42 12 cmd.exe 1 9->12         started        process5 signatures6 44 Submitted sample is a known malware sample 12->44 46 Obfuscated command line found 12->46 48 Uses ping.exe to sleep 12->48 50 Uses ping.exe to check the status of other devices and networks 12->50 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 52 Obfuscated command line found 15->52 54 Uses ping.exe to sleep 15->54 20 PING.EXE 1 15->20         started        23 Poggiata.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 27 Poggiata.exe.com 23->27         started        process11 dnsIp12 32 BcigALUiMmOLLITQARKVFvznGPVu.BcigALUiMmOLLITQARKVFvznGPVu 27->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77737e20aae412cf69ac696fe6b69e744dedf353202371955944819ff6029204/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2021-05-30 20:10:55 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5zx4ifk4qjm62nmnfx6nnu6org6342tearxdfkzisaz75qcsica._file
Verdict:
malicious
Similar samples:
02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763
CryptBot
04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf
CryptBot
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
CryptBot
1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
CryptBot
7893541b010d78ca63a1f443f01f7f4100f1782eabfa486d53191d53646dd150
CryptBot
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
CryptBot
8f3d3f32d4bda55c2fbac65a2c8f944e5837b1e74b0d45082a5fddca888223b4
CryptBot
957860a901820c6cd66f49700a18a4fc3243104f8147805d1bbec9ec651f009b
CryptBot
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
CryptBot
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
CryptBot
+ 125 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210608-4yytthaezx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
df7b1204f463198917320e3cf9d0766be4b3b0feb0e6440e4bda2d0b0f291597
MD5 hash:
cbd041ed77d9ee5418460a0e635d308e
SHA1 hash:
13d669760f627f2e921f7b0c97390c41d75854be
Link:
https://www.unpac.me/results/6ff2ba99-e534-436a-a6f7-0b38e12b7689/
SH256 hash:
77737e20aae412cf69ac696fe6b69e744dedf353202371955944819ff6029204
MD5 hash:
07fb8a0df8f52cabe8a2358cd56f10cf
SHA1 hash:
a2f5a61703b4aa1787327a3e6667dab585967080
Link:
https://www.unpac.me/results/6ff2ba99-e534-436a-a6f7-0b38e12b7689/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77737e20aae412cf69ac696fe6b69e744dedf353202371955944819ff6029204

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165190/

Comments