MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cd14dd834ca1aab6cb21eee48c07c13ae10a9c62d6122aa690ae2ec9809ad80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cd14dd834ca1aab6cb21eee48c07c13ae10a9c62d6122aa690ae2ec9809ad80
SHA3-384 hash: 2c4bb3e740d1fcbb7b09775903ecf9c6b32c7ef1be72176ac6c2502d0e35e24102798938f21a039afd1cdea5127a68f4
SHA1 hash: 65e2c615e1827d858bd26ede2e935c702dd175bc
MD5 hash: 064e16460849b3fc974add9edf795b07
humanhash: lemon-sixteen-beryllium-speaker
File name:064e16460849b3fc974add9edf795b07.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:702'976 bytes
First seen:2021-07-30 06:12:55 UTC
Last seen:2021-07-30 06:44:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 235826e6e2580e249ef35ac90f832f1b (1 x DanaBot, 1 x CryptBot, 1 x GCleaner)
ssdeep 12288:SLMjl/Slxd3aQ/0pMkpqLVubFTTH2Sj+L+46YDXgeX8nmUsLsfiTwrcfPohlNT:9jlagGkpqJupTj26+646F4CmdLCowYoF
Threatray 396 similar samples on MalwareBazaar
TLSH T1A4E4E130BAA0C039E4B756F846BA937CA52C7EA1A72451CB63D536EE17342E5DC30B47
dhash icon ead8a89cc6e68ea0 (25 x RaccoonStealer, 8 x DanaBot, 8 x RedLineStealer)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
585
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
064e16460849b3fc974add9edf795b07.exe
Verdict:
Malicious activity
Analysis date:
2021-07-30 06:13:27 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/2d89e9b7-8104-4a8c-9a84-a6578d6f9367

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175194/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.48134.6733.23675.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0bb2a86-3f93-44c2-88f2-d26eaabd057e
Result
Threat name:
Clipboard Hijacker Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824336
Signature
Antivirus detection for dropped file
Delayed program exit found
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456745 Sample: WXX82l5ppp.exe Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 111 Malicious sample detected (through community Yara rule) 2->111 113 Antivirus detection for dropped file 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 11 other signatures 2->117 12 WXX82l5ppp.exe 48 2->12         started        17 SmartClock.exe 2->17         started        19 rundll32.exe 2->19         started        21 SmartClock.exe 2->21         started        process3 dnsIp4 90 winorm07.top 173.230.139.203, 49741, 49742, 80 LINODE-APLinodeLLCUS United States 12->90 92 morexn05.top 195.123.221.11, 49740, 80 ITLDC-NLUA Bulgaria 12->92 94 ewaaut52.top 195.58.39.241, 49738, 80 FLEX-ASRU Russian Federation 12->94 80 C:\Users\user\AppData\Local\Temp\Filett.exe, PE32 12->80 dropped 82 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->82 dropped 139 Detected unpacking (overwrites its own PE header) 12->139 141 Tries to harvest and steal browser information (history, passwords, etc) 12->141 23 Filett.exe 25 12->23         started        27 cmd.exe 1 12->27         started        file5 signatures6 process7 file8 70 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 23->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 23->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 23->74 dropped 76 3 other files (none is malicious) 23->76 dropped 121 Antivirus detection for dropped file 23->121 123 Multi AV Scanner detection for dropped file 23->123 125 Machine Learning detection for dropped file 23->125 29 vpn.exe 1 6 23->29         started        31 4.exe 4 23->31         started        127 Submitted sample is a known malware sample 27->127 129 Obfuscated command line found 27->129 131 Uses ping.exe to sleep 27->131 133 Uses ping.exe to check the status of other devices and networks 27->133 35 conhost.exe 27->35         started        37 timeout.exe 1 27->37         started        signatures9 process10 dnsIp11 39 cmd.exe 1 29->39         started        41 cmd.exe 1 29->41         started        103 192.168.2.1 unknown unknown 31->103 68 C:\Users\user\AppData\...\SmartClock.exe, PE32 31->68 dropped 43 SmartClock.exe 31->43         started        file12 process13 process14 45 cmd.exe 3 39->45         started        48 conhost.exe 39->48         started        50 conhost.exe 41->50         started        signatures15 135 Obfuscated command line found 45->135 137 Uses ping.exe to sleep 45->137 52 Arteria.exe.com 45->52         started        55 findstr.exe 1 45->55         started        58 PING.EXE 45->58         started        process16 file17 119 May check the online IP address of the machine 52->119 60 Arteria.exe.com 52->60         started        78 C:\Users\user\AppData\...\Arteria.exe.com, Targa 55->78 dropped signatures18 process19 dnsIp20 96 ip-api.com 60->96 99 ip-api.com 208.95.112.1, 49749, 80 TUT-ASUS United States 60->99 101 GgdtfkaEHdAzKOSzI.GgdtfkaEHdAzKOSzI 60->101 84 C:\Users\user\AppData\...\txxlocbtnt.vbs, ASCII 60->84 dropped 64 wscript.exe 60->64         started        file21 105 May check the online IP address of the machine 96->105 signatures22 process23 dnsIp24 86 iplogger.org 64->86 88 iplogger.org 88.99.66.31, 443, 49750 HETZNER-ASDE Germany 64->88 107 System process connects to network (likely due to code injection or exploit) 64->107 109 May check the online IP address of the machine 64->109 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cd14dd834ca1aab6cb21eee48c07c13ae10a9c62d6122aa690ae2ec9809ad80/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 06:13:10 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ptiu3wbuzinkw3fsd3xerqd4coxbbkogfvqsfktjblrozgajvwaa._file
Verdict:
malicious
Similar samples:
1572ca8f4bf2788214713ed2f8f3f7da579a76fd335a7ce898dde275ef4f9739
CryptBot
21a27023f4316ff356a2ff7d5c8ef5431d65217da4496820d8865666fe8cd11e
CryptBot
37cb831726dc1877ea59cf5618e4fa224368bbd64a7047dec6fb554a6a17d4c2
CryptBot
48ab70d33532409f5394c271fe0fba6234b15b36584234d5b595b9791972bec1
CryptBot
57e0906e3b6e13fe8db13cc06ce37d957bfc045afa6e99e9cf8b893ceb57d018
CryptBot
a95255b520f721b807650a1de5feeefab46054029386cd0ce57c81daa3ac0248
CryptBot
c34a85e738b7c8fa703aaa447cd24d17ff08baae5d4b44b7c2131c5df164b9a3
CryptBot
f5f817441e672588eb3404816c3afc7adf4a74636414bc897ab818aaf2a71786
CryptBot
+ 386 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot botnet:4 banker discovery persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210730-dnpppnd62x/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Danabot
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
ewaaut52.top
morexn05.top
142.11.244.124:443
142.11.206.50:443
Unpacked files
SH256 hash:
0c4bc606f1b25f564f152c4315376f28cfadcaceffa5d38ea1493877091d1f4b
MD5 hash:
76883bad2c3fae47f96d9e30eb1de8b6
SHA1 hash:
6f49f829070788dffacc3c6813c72cec4fb7a180
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9883e75c-6659-43ae-a649-cab56efe6de7/
Parent samples :
7cd14dd834ca1aab6cb21eee48c07c13ae10a9c62d6122aa690ae2ec9809ad80
cf0d8b01a7f644b3d4f0115d0678c8d6269da9fd51f103ef47e01ab970609f34
1f4d7f6495db9fc08bcf3fcdf21dcb9b92a53380125e4e35439f6bd4c3449e5c
SH256 hash:
7cd14dd834ca1aab6cb21eee48c07c13ae10a9c62d6122aa690ae2ec9809ad80
MD5 hash:
064e16460849b3fc974add9edf795b07
SHA1 hash:
65e2c615e1827d858bd26ede2e935c702dd175bc
Link:
https://www.unpac.me/results/9883e75c-6659-43ae-a649-cab56efe6de7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7cd14dd834ca1aab6cb21eee48c07c13ae10a9c62d6122aa690ae2ec9809ad80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 7cd14dd834ca1aab6cb21eee48c07c13ae10a9c62d6122aa690ae2ec9809ad80

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1489477/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175194/

Comments