MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80d4bc601ab1473cb21fc90f190ef7c00ffaa44705c170e6b01bac62eb7c7fd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80d4bc601ab1473cb21fc90f190ef7c00ffaa44705c170e6b01bac62eb7c7fd3
SHA3-384 hash: 0d3ac39a82e8d84cfcda1f9cf60aac012f08785170ff8f88b645e5c3f1205f5bf1bf32dc3553681834bef8c1a33087a8
SHA1 hash: aa4019cce7a789c6f43e5066c692be649bd0f5e4
MD5 hash: 650d8be4ba7b94975bee396121627b92
humanhash: hamper-football-fillet-hot
File name:650d8be4ba7b94975bee396121627b92.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'287'836 bytes
First seen:2021-03-26 15:10:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:YC0O1q+DgvJVAxTPnTmpoRMJtMVfH0eXoKrp2VOVPC4l5VxK:b0mq+8zcnapGMJyfUeXo3qb3K
Threatray 90 similar samples on MalwareBazaar
TLSH 54B5338A9DBEF51ACC4682B6DAF5C49700AE3C20B850DC6BD7315ECFBD225425825F63
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127041/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/535aedb6-d13d-4be2-baea-232e9ffe6289
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655160
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Svchost Process
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376508 Sample: JspemsXAtV.exe Startdate: 26/03/2021 Architecture: WINDOWS Score: 100 93 Multi AV Scanner detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Detected unpacking (changes PE section rights) 2->97 99 7 other signatures 2->99 11 JspemsXAtV.exe 20 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 73 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->79 dropped 18 vpn.exe 7 11->18         started        20 6.exe 7 11->20         started        22 4.exe 4 11->22         started        process5 file6 25 cmd.exe 1 18->25         started        28 svchost.exe 18->28         started        30 cmd.exe 1 20->30         started        32 svchost.exe 20->32         started        71 C:\Users\user\AppData\...\SmartClock.exe, PE32 22->71 dropped 34 SmartClock.exe 22->34         started        process7 signatures8 109 Submitted sample is a known malware sample 25->109 111 Obfuscated command line found 25->111 113 Uses ping.exe to sleep 25->113 115 Uses ping.exe to check the status of other devices and networks 25->115 36 cmd.exe 3 25->36         started        39 conhost.exe 25->39         started        41 cmd.exe 3 30->41         started        43 conhost.exe 30->43         started        process9 signatures10 105 Obfuscated command line found 36->105 107 Uses ping.exe to sleep 36->107 45 Far.exe.com 36->45         started        48 PING.EXE 1 36->48         started        51 findstr.exe 1 36->51         started        54 Violenza.exe.com 41->54         started        56 PING.EXE 41->56         started        58 findstr.exe 1 41->58         started        process11 dnsIp12 117 May check the online IP address of the machine 45->117 60 Far.exe.com 45->60         started        81 127.0.0.1 unknown unknown 48->81 69 C:\Users\user\AppData\Roaming\...\Far.exe.com, Targa 51->69 dropped 63 Violenza.exe.com 54->63         started        83 192.168.2.1 unknown unknown 56->83 file13 signatures14 process15 dnsIp16 87 ip-api.com 208.95.112.1, 49734, 80 TUT-ASUS United States 60->87 89 bBPDoAktvaMpCERFeCMqlmhJOgL.bBPDoAktvaMpCERFeCMqlmhJOgL 60->89 65 wscript.exe 60->65         started        91 ecNsSgYNlzlshYgUBmeER.ecNsSgYNlzlshYgUBmeER 63->91 process17 dnsIp18 85 iplogger.org 88.99.66.31, 443, 49737 HETZNER-ASDE Germany 65->85 101 System process connects to network (likely due to code injection or exploit) 65->101 103 May check the online IP address of the machine 65->103 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80d4bc601ab1473cb21fc90f190ef7c00ffaa44705c170e6b01bac62eb7c7fd3/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 08:57:27 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdklyya2wfdtzmq7zehrsdxxyah7vjchaxaxbzvqdowgf234p7jq._file
Verdict:
malicious
Similar samples:
10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a
CryptBot
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812
CryptBot
1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
CryptBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
CryptBot
7c902b5da243bec90b83e4d68e4e8c097d1e36e9d9508c5095023f801440d977
CryptBot
941d3312f126a5104966af87ce58d9be63bbaf63216723508d9dd2d2f241fea7
CryptBot
9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b
CryptBot
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
CryptBot
+ 80 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210326-gpfks2288s/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
e2c0accfcf3adc0968764e8ae54cbac01c5a4da56e30ffc1a4b37503f1267dcd
MD5 hash:
15a08f0d40ee5bd10b100c905acb24dd
SHA1 hash:
17a0edca2cceff67ee7fb823f4ebe67c5942f69d
Link:
https://www.unpac.me/results/7b6bd194-4090-4415-9a52-c53cf53bfa61/
SH256 hash:
4ff60ecf9890e16efc06db649f8d043b547a43dc368ffa46d61ebb66d24eaf6f
MD5 hash:
0d03cbd4077c45abd3cd28ae5661c368
SHA1 hash:
77796c1432df19773f2ce5ee5944412eefa01e5e
Link:
https://www.unpac.me/results/7b6bd194-4090-4415-9a52-c53cf53bfa61/
SH256 hash:
fc5ebf11d0e7b8760fe29dde60ec3321d36326332d3a8e51b8d0c5e09ab0ebaf
MD5 hash:
3116ca6a9d45c85ab808cf0283de9a80
SHA1 hash:
e316a7baa73c5557af33d6a64cc78e6a4d0015b6
Link:
https://www.unpac.me/results/7b6bd194-4090-4415-9a52-c53cf53bfa61/
SH256 hash:
a56d515897f4d9d336602a1809949629f0e79e1fa0d55154b3b1121fb6138085
MD5 hash:
b3d3f51c4249eeaa7d5245ea4f8c7460
SHA1 hash:
2a3627e3aeeab195eec76c2a65394d178c954f9f
Link:
https://www.unpac.me/results/7b6bd194-4090-4415-9a52-c53cf53bfa61/
SH256 hash:
80d4bc601ab1473cb21fc90f190ef7c00ffaa44705c170e6b01bac62eb7c7fd3
MD5 hash:
650d8be4ba7b94975bee396121627b92
SHA1 hash:
aa4019cce7a789c6f43e5066c692be649bd0f5e4
Link:
https://www.unpac.me/results/7b6bd194-4090-4415-9a52-c53cf53bfa61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/80d4bc601ab1473cb21fc90f190ef7c00ffaa44705c170e6b01bac62eb7c7fd3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 80d4bc601ab1473cb21fc90f190ef7c00ffaa44705c170e6b01bac62eb7c7fd3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1093092/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127041/

Comments