MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ebd75f04be7424a2c2faa8be74538af662198fcd6c88bbeb4c99df4991ac06d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CryptBot

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	7ebd75f04be7424a2c2faa8be74538af662198fcd6c88bbeb4c99df4991ac06d
SHA3-384 hash:	0466dcc4908f1591aed0b06634609f8ad91cb26715fd522e7cb96b5e165e0d05321ae91c4d92cd60fa53158adc83ac94
SHA1 hash:	496a40eb59fed8322803c276fbd3cd1624f15e24
MD5 hash:	975feaa8efd0fd8c5710652abc197e2c
humanhash:	twelve-blossom-arizona-edward
File name:	975feaa8efd0fd8c5710652abc197e2c.exe
Download:	download sample
Signature	CryptBot Create hunting rule
File size:	2'750'464 bytes
First seen:	2022-01-05 08:18:22 UTC
Last seen:	2022-01-05 10:11:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	076fd3bc44050b5480459bd4d8e1a2d8 (16 x CryptBot, 1 x DanaBot)
ssdeep	49152:urK+oTNwLB7RXhdrscmfrWbm9n9aK40r2Euen1tE6wo1e38Z++0:eK+QNwLB7RX7r+frx40CenU6Ne3
Threatray	8'559 similar samples on MalwareBazaar
TLSH	T17CD5336647F186F0E9A4C838D681B62962F2AD309A74E370672B9FC549CDD9C970FF40
Reporter	abuse_ch
Tags:	CryptBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

975feaa8efd0fd8c5710652abc197e2c.exe

Verdict:

Malicious activity

Analysis date:

2022-01-05 08:36:17 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/ce94b139-f2e5-4c0e-a26f-db0273e39fb3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CryptBot

Link:

https://www.capesandbox.com/analysis/217393/

Detection(s):

SecuriteInfo.com.Variant.Zusy.398819.11988.3942.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

cryptbot greyware packed virus zusy

Link:

https://www.filescan.io/uploads/61d5547a92bdc4b4077fedad/reports/888fd7d3-53a8-4d60-ad1b-667d733b7b74/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6f683747-bfa7-43b8-90d2-46655cc500f3

Result

Threat name:

Cryptbot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/915707

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Cryptbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7ebd75f04be7424a2c2faa8be74538af662198fcd6c88bbeb4c99df4991ac06d/

Threat name:

Win32.Packed.Themida

Status:

Malicious

First seen:

2022-01-05 06:06:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

1/5

Verdict:

malicious

CryptBot

2ff10148112933987a694ab813725a70ab580d7288acf3f58e4ce70ebaf5cc91

CryptBot

36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf

CryptBot

4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072

CryptBot

55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb

CryptBot

5d7bc178cb3eafae7b2c99b2cfd2ceec87119cf2403f86af87435d4479f36724

CryptBot

654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953

CryptBot

b17768009cf2fed4bb244460953841a35578dea7019c9c6b30b1208a0a87a065

CryptBot

c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43

CryptBot

+ 8'549 additional samples on MalwareBazaar

Result

Malware family:

cryptbot

Score:

10/10

Tags:

family:cryptbot discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/220105-j7vrxsaden/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Deletes itself

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

CryptBot

Malware Config

C2 Extraction:

zyobyd22.top
moreja02.top

Unpacked files

SH256 hash:

31f84dded984f110d9a80fd4dc04d130f6ea17a69b457adf2fdad1ae3aab853f

MD5 hash:

922836f20f3667903c1a58376310c946

SHA1 hash:

c5f59f1bb9a3b8c966f1bec044f9b6bf3ae3e837

Link:

https://www.unpac.me/results/5acfe81a-69f5-48a2-b342-650d4dd4618a/

SH256 hash:

7ebd75f04be7424a2c2faa8be74538af662198fcd6c88bbeb4c99df4991ac06d

MD5 hash:

975feaa8efd0fd8c5710652abc197e2c

SHA1 hash:

496a40eb59fed8322803c276fbd3cd1624f15e24

Link:

https://www.unpac.me/results/5acfe81a-69f5-48a2-b342-650d4dd4618a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/7ebd75f04be7424a2c2faa8be74538af662198fcd6c88bbeb4c99df4991ac06d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	MALWARE_Win_CryptBot Create hunting rule
Author:	ditekSHen
Description:	CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/217393/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample