MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c3f72dbd4c85062fd53b2f29ec9f9e3d2cd901d12e9229f16b3b36dd171bf8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c3f72dbd4c85062fd53b2f29ec9f9e3d2cd901d12e9229f16b3b36dd171bf8a
SHA3-384 hash: 1ee9c58456d6003e250de415ffcc451a24b0cbd0389c7995138e4707c94b0041fdc814cb229589512860008dc8b346ea
SHA1 hash: ae3b9b9ee4426efb5800e9f938280540848c22e5
MD5 hash: 69030f2149775b44d0983af753cbd92f
humanhash: shade-oklahoma-steak-video
File name:69030f2149775b44d0983af753cbd92f.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'656'801 bytes
First seen:2022-11-22 22:50:21 UTC
Last seen:2022-11-23 00:55:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 945833a1711ed7678a5c6544cb16c46f (1 x CryptBot)
ssdeep 24576:IbIWJ5hVYd/TbPlnSQHQj0zsiH8BnXOkSstg1/R3270ZSq:INJ5hVYd/TbPln9HQjbnXOjdrSq
TLSH T12C753CE1B509F6EFD1AE1B79B62BCD71E45D0BF542240C029A6E78BEFF62C811146C24
TrID 31.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.4% (.SCR) Windows screen saver (13097/50/3)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon b28cf8e0e88dac92 (4 x GCleaner, 1 x CryptBot)
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://kudwum22.top/gate.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
69030f2149775b44d0983af753cbd92f.exe
Verdict:
Malicious activity
Analysis date:
2022-11-22 22:51:16 UTC
Tags:
opendir loader trojan stealer cryptbot
Link:
https://app.any.run/tasks/bca08759-ad00-447b-a589-c16d0dcb385c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337374/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.33574.9355.20843.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger packed zusy
Link:
https://www.filescan.io/uploads/637d52575be128ac718e6675/reports/17353cb5-8c88-40b6-bcab-2964ef2276c5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b89747e3-f0a5-4ebd-b4cc-34e9d1c73f68
Result
Threat name:
CryptbotV2, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119306
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected CryptbotV2
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752023 Sample: R7LqyhsDqP.exe Startdate: 22/11/2022 Architecture: WINDOWS Score: 100 122 Multi AV Scanner detection for domain / URL 2->122 124 Antivirus detection for URL or domain 2->124 126 Multi AV Scanner detection for dropped file 2->126 128 12 other signatures 2->128 9 R7LqyhsDqP.exe 32 2->9         started        13 rundll32.exe 2->13         started        process3 dnsIp4 86 85.208.136.148, 49695, 80 CMCSUS Germany 9->86 88 85.208.136.48, 49700, 80 CMCSUS Germany 9->88 90 2 other IPs or domains 9->90 76 C:\Users\user\AppData\Roaming\...\wASBIM2.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\LqM5tQlGG.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\uIUG0J9F.exe, PE32+ 9->80 dropped 82 7 other malicious files 9->82 dropped 15 LqM5tQlGG.exe 73 9->15         started        20 uIUG0J9F.exe 1 9->20         started        22 cmd.exe 1 9->22         started        24 2 other processes 9->24 file5 process6 dnsIp7 98 kudwum22.top 34.125.72.65 GOOGLEUS United States 15->98 100 tamori02.top 84.21.172.160 COMBAHTONcombahtonGmbHDE Germany 15->100 70 C:\Users\user\AppData\Roaming\...\geneat.exe, PE32 15->70 dropped 110 Multi AV Scanner detection for dropped file 15->110 112 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->112 114 Query firmware table information (likely to detect VMs) 15->114 120 3 other signatures 15->120 26 cmd.exe 15->26         started        28 cmd.exe 15->28         started        116 Writes to foreign memory regions 20->116 118 Injects a PE file into a foreign processes 20->118 30 InstallUtil.exe 20->30         started        45 2 other processes 20->45 34 Cleaner.exe 17 2 22->34         started        36 conhost.exe 22->36         started        72 C:\Users\user\AppData\...\edsbkvmipd.dat, PE32+ 24->72 dropped 38 cmd.exe 2 24->38         started        41 conhost.exe 24->41         started        43 taskkill.exe 24->43         started        file8 signatures9 process10 dnsIp11 47 geneat.exe 26->47         started        51 conhost.exe 26->51         started        53 conhost.exe 28->53         started        55 timeout.exe 28->55         started        92 t.me 149.154.167.99 TELEGRAMRU United Kingdom 30->92 94 116.202.5.101 HETZNER-ASDE Germany 30->94 130 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->130 132 Tries to harvest and steal browser information (history, passwords, etc) 30->132 134 Tries to steal Crypto Currency Wallets 30->134 57 cmd.exe 30->57         started        96 iplogger.org 148.251.234.83 HETZNER-ASDE Germany 34->96 136 Multi AV Scanner detection for dropped file 34->136 138 May check the online IP address of the machine 34->138 74 C:\Users\user\AppData\Local\...\conhost.exe, PE32 38->74 dropped 59 conhost.exe 1 38->59         started        61 conhost.exe 38->61         started        file12 signatures13 process14 file15 84 C:\Users\user\AppData\...\DpEditor.exe, PE32 47->84 dropped 102 Multi AV Scanner detection for dropped file 47->102 104 Query firmware table information (likely to detect VMs) 47->104 106 Hides threads from debuggers 47->106 108 Tries to detect sandboxes / dynamic malware analysis system (registry check) 47->108 63 DpEditor.exe 47->63         started        66 conhost.exe 57->66         started        68 timeout.exe 57->68         started        signatures16 process17 signatures18 140 Query firmware table information (likely to detect VMs) 63->140 142 Hides threads from debuggers 63->142 144 Tries to detect sandboxes / dynamic malware analysis system (registry check) 63->144
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c3f72dbd4c85062fd53b2f29ec9f9e3d2cd901d12e9229f16b3b36dd171bf8a/
Threat name:
Win32.Infostealer.Tepfer
Create hunting rule
Status:
Malicious
First seen:
2022-11-19 00:43:53 UTC
File Type:
PE (Exe)
Extracted files:
91
AV detection:
26 of 40 (65.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pq7xfw6uzbigf7ktwlzj5spz4pjm3ea5clusfhywwozw3ulrx6fa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221122-2ssywsbg57/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
a94475cedf46b3ce75d625b251f24c1dbe01faa43591921ac1ccd7ae73567d62
MD5 hash:
ecfd934b3551675a80c320a03be61b91
SHA1 hash:
7afe7a29829d1d6e3fd699dd13c477554dbe0ee8
Detections:
win_nymaim_g0
Create hunting rule
Nymaim
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/c1094327-0262-425e-b3ae-81c7747dd5c8/
Parent samples :
7c3f72dbd4c85062fd53b2f29ec9f9e3d2cd901d12e9229f16b3b36dd171bf8a
a0ee5991a87a49c2a3d877f34ae33b27a95c88c1e95eb13f0cc1658adc815b6a
SH256 hash:
7c3f72dbd4c85062fd53b2f29ec9f9e3d2cd901d12e9229f16b3b36dd171bf8a
MD5 hash:
69030f2149775b44d0983af753cbd92f
SHA1 hash:
ae3b9b9ee4426efb5800e9f938280540848c22e5
Link:
https://www.unpac.me/results/c1094327-0262-425e-b3ae-81c7747dd5c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c3f72dbd4c85062fd53b2f29ec9f9e3d2cd901d12e9229f16b3b36dd171bf8a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337374/

Comments