MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
SHA3-384 hash: 8b93857480832935241445ca0895b83c86ed55c63377ad4b395838c5a228d8d1bfd30ea7b68045fd775e739de686bffe
SHA1 hash: a08909295bcf9d98edc709c5b7e3101b4c1630db
MD5 hash: abc000444d75760551c14e3d04473a39
humanhash: maine-mississippi-single-floor
File name:abc000444d75760551c14e3d04473a39.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'559'872 bytes
First seen:2021-03-19 15:14:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:R1utX+L8/5pENLsSDXlia+bQLnrZ9iEpMLQK5EN4S+osUEf:rutDpENLsSBdDDr+/L3EN4SH4f
Threatray 150 similar samples on MalwareBazaar
TLSH E2C5334EB70A815BE89008360C7B437247D6AE118C26DD57E90C7BBDB624BB7573D81B
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1fa0dc2ac5e6610b1f19c2afd119e9fe.exe
Verdict:
Malicious activity
Analysis date:
2021-03-19 14:26:21 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/f6c211bb-5e7e-46b4-a432-0e302ae83cdf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125675/
Detection(s):
Win.Malware.Generic-9845437-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80e1e418-ae49-4c67-981f-e77efd26c904
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/646310
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372119 Sample: dcxFq0eju6.exe Startdate: 19/03/2021 Architecture: WINDOWS Score: 100 89 Multi AV Scanner detection for submitted file 2->89 91 Detected unpacking (changes PE section rights) 2->91 93 Detected unpacking (overwrites its own PE header) 2->93 95 6 other signatures 2->95 11 dcxFq0eju6.exe 20 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 65 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->65 dropped 67 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 11->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->71 dropped 18 6.exe 8 11->18         started        20 vpn.exe 8 11->20         started        22 4.exe 4 11->22         started        process5 file6 25 cmd.exe 1 18->25         started        28 cmd.exe 1 20->28         started        63 C:\Users\user\AppData\...\SmartClock.exe, PE32 22->63 dropped 30 SmartClock.exe 22->30         started        process7 signatures8 97 Submitted sample is a known malware sample 25->97 99 Obfuscated command line found 25->99 101 Uses ping.exe to sleep 25->101 103 Uses ping.exe to check the status of other devices and networks 25->103 32 cmd.exe 3 25->32         started        35 conhost.exe 25->35         started        37 cmd.exe 3 28->37         started        39 conhost.exe 28->39         started        process9 signatures10 41 Accostarmi.exe.com 32->41         started        43 PING.EXE 1 32->43         started        46 findstr.exe 1 32->46         started        85 Obfuscated command line found 37->85 87 Uses ping.exe to sleep 37->87 48 Cadere.exe.com 37->48         started        50 findstr.exe 1 37->50         started        52 PING.EXE 1 37->52         started        process11 dnsIp12 54 Accostarmi.exe.com 3 41->54         started        81 127.0.0.1 unknown unknown 43->81 57 Cadere.exe.com 48->57         started        process13 dnsIp14 73 QtmMJaPrjoHf.QtmMJaPrjoHf 54->73 75 fGemUlcMhTSJ.fGemUlcMhTSJ 57->75 77 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 57->77 79 192.168.2.1 unknown unknown 57->79 59 wscript.exe 57->59         started        process15 dnsIp16 83 iplogger.org 88.99.66.31, 443, 49713 HETZNER-ASDE Germany 59->83 105 System process connects to network (likely due to code injection or exploit) 59->105 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-03-19 05:38:49 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ppbxt7k7fdfaafvofaucbvix25yzzljhikrcs2gmhsotinh7i2oq._file
Verdict:
suspicious
Similar samples:
00dfe1c0275613464fac102cd1d1bf35983038db80455b92be2630fbe9cf040b
CryptBot
21c551ed1ce186d015c2fc69268f9243652c24a4fc4a37b1fecf799a3b89e063
CryptBot
5d5c572bd9c5a93783e2fbd7c551b54570ab531df2b7d1b93758453c4124db03
CryptBot
6c6ab740e7d1e69bb05349e3b27b1a52a4e0bad10ef8b019147c9d87755f95cb
CryptBot
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
CryptBot
7ca4eb9602b54dd5a1003cc83c39d0cc07aeb041cf8be6562f656675a40e4ee8
CryptBot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
CryptBot
9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
CryptBot
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
CryptBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
CryptBot
+ 140 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210319-jt4k998a6s/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
e9dedcd1971ce3b2c065945e0ea110aff832d9984739fd5b554118eeb7048745
MD5 hash:
618ec06edacd2951c97be6db93713029
SHA1 hash:
26585e446358cbf58e42b07d863e95ac07f26251
Link:
https://www.unpac.me/results/c8b78cff-34f9-4b52-9baf-aadbeac39c18/
SH256 hash:
3ac37f641f2f6a3433e6f19aded8c04fe6efb166fb717e953c46c902fb0a3e23
MD5 hash:
13030840171e8830bbe3620d00678d92
SHA1 hash:
2a0575ed3fe9deb3579acac166bd464e9b72950e
Link:
https://www.unpac.me/results/c8b78cff-34f9-4b52-9baf-aadbeac39c18/
SH256 hash:
7fb105d3a92243e8b2f77873ee535e2cb3d4a78ecdf9d73257fbd8597b2c0e8c
MD5 hash:
166628759185480eb9c180db89f0272f
SHA1 hash:
c7c1ba1e9dc86e7f1d2cf2df3752a07d873ec4f4
Link:
https://www.unpac.me/results/c8b78cff-34f9-4b52-9baf-aadbeac39c18/
SH256 hash:
a56d515897f4d9d336602a1809949629f0e79e1fa0d55154b3b1121fb6138085
MD5 hash:
b3d3f51c4249eeaa7d5245ea4f8c7460
SHA1 hash:
2a3627e3aeeab195eec76c2a65394d178c954f9f
Link:
https://www.unpac.me/results/c8b78cff-34f9-4b52-9baf-aadbeac39c18/
SH256 hash:
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
MD5 hash:
abc000444d75760551c14e3d04473a39
SHA1 hash:
a08909295bcf9d98edc709c5b7e3101b4c1630db
Link:
https://www.unpac.me/results/c8b78cff-34f9-4b52-9baf-aadbeac39c18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/125675/
  
URLhaus
https://urlhaus.abuse.ch/url/1077395/
  
Delivery method
Distributed via web download

Comments