MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 819f04aad6e5928860bc28b2c02bd3661d8a5e91baa2b37dc069e90d9da9ecaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 819f04aad6e5928860bc28b2c02bd3661d8a5e91baa2b37dc069e90d9da9ecaa
SHA3-384 hash: 99ca37971f5b3a90bc886729430337b92b8f6256c8d981ca9618b3e161de06268085dea6a1465224f624615b6d84fa68
SHA1 hash: 19059dc24f2fe1241f8f0d26f5350ac2fafe404b
MD5 hash: 3717c11773a246152805edc12e5d769f
humanhash: network-blue-missouri-enemy
File name:SecuriteInfo.com.Trojan.Win32.Save.a.24649.32545
Download: download sample
Signature CryptBot
Create hunting rule
File size:724'992 bytes
First seen:2021-07-21 14:06:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 90448e8f7733b3c6bdf5b48508246f5a (2 x RaccoonStealer, 1 x CryptBot)
ssdeep 12288:pzxC6fI+DC8aMEJ+3UuEyk3TN5qyud+77n7KHXtc6vy1SyTlLhm2ld:dxtC5wUuExx3KHaQycyZLz
Threatray 438 similar samples on MalwareBazaar
TLSH T1BEF412517AD2D836D162093280E7838567BFBC63AE7C9613269077CF5E702D2936DB83
dhash icon 48b9b2b0e8c18c90 (18 x RaccoonStealer, 5 x Smoke Loader, 3 x Glupteba)
Reporter SecuriteInfoCom
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Save.a.24649.32545
Verdict:
Malicious activity
Analysis date:
2021-07-21 14:58:50 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/12eebce6-2de1-48b6-a8f4-e231a0bd8a48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173022/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24649.32545.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7e48b8f-8b4d-4181-a017-5afff31d33e4
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819538
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451949 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 64 ip-api.com 2->64 78 Antivirus detection for URL or domain 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 8 other signatures 2->84 12 SecuriteInfo.com.Trojan.Win32.Save.a.24649.exe 22 2->12         started        17 SmartClock.exe 2->17         started        19 SmartClock.exe 2->19         started        signatures3 process4 dnsIp5 70 morers03.top 193.203.203.7, 49745, 80 SEAP-AGEES Russian Federation 12->70 72 smadxh32.top 185.239.50.95, 49744, 80 MGNHOST-ASRU Russian Federation 12->72 74 gurswj04.top 147.182.131.97, 49739, 49741, 80 BV-PUBLIC-ASNUS United States 12->74 60 C:\Users\user\AppData\...\gYwQMCTyCeGKch.exe, PE32 12->60 dropped 62 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->62 dropped 94 Detected unpacking (changes PE section rights) 12->94 96 Detected unpacking (overwrites its own PE header) 12->96 98 Tries to harvest and steal ftp login credentials 12->98 100 2 other signatures 12->100 21 gYwQMCTyCeGKch.exe 25 12->21         started        file6 signatures7 process8 file9 50 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 21->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 21->52 dropped 54 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 21->54 dropped 56 3 other files (none is malicious) 21->56 dropped 90 Multi AV Scanner detection for dropped file 21->90 92 Machine Learning detection for dropped file 21->92 25 vpn.exe 7 21->25         started        27 4.exe 4 21->27         started        signatures10 process11 file12 30 cmd.exe 1 25->30         started        58 C:\Users\user\AppData\...\SmartClock.exe, PE32 27->58 dropped 33 SmartClock.exe 27->33         started        process13 signatures14 102 Submitted sample is a known malware sample 30->102 104 Obfuscated command line found 30->104 106 Uses ping.exe to sleep 30->106 108 Uses ping.exe to check the status of other devices and networks 30->108 35 cmd.exe 3 30->35         started        38 conhost.exe 30->38         started        process15 signatures16 86 Obfuscated command line found 35->86 88 Uses ping.exe to sleep 35->88 40 PING.EXE 1 35->40         started        43 Com.exe.com 35->43         started        45 findstr.exe 1 35->45         started        process17 dnsIp18 66 127.0.0.1 unknown unknown 40->66 68 192.168.2.1 unknown unknown 40->68 47 Com.exe.com 43->47         started        process19 dnsIp20 76 uUJvOzqnGTqlnKoMDosoz.uUJvOzqnGTqlnKoMDosoz 47->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/819f04aad6e5928860bc28b2c02bd3661d8a5e91baa2b37dc069e90d9da9ecaa/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 11:36:47 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
CryptBot
4b21de4f5c03de8e7e85bbdc317bd1050ba7bce099c1ba1cafb949ccadff90a2
CryptBot
6f8ce60168331070f8ca906c9c5e4d53e22b9b72a57c6e0c65bf6f83979d310f
CryptBot
7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8
CryptBot
78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16
CryptBot
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
CryptBot
88a2e91597137f9a64ccf66c89390c533d1a85d09f8310b658f73bf6ad45db2a
CryptBot
e2627edaef3e465cadfb84b250bc0d47cef26af5d2334e5f49ab38d8f919b511
CryptBot
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
CryptBot
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
CryptBot
+ 428 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210721-ng2qbmbl3e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
841ba0f35c333896f0a0cc9d4329d0f2fcead22e280189feeac4dc1c46bc6e95
MD5 hash:
bcef3fc5c601ee78cab03a62544d38d1
SHA1 hash:
66da627f8a4c5d9d3fed74b38b08e055be101cab
Detections:
win_blacksoul_auto
Create hunting rule
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7df9e8e6-b9d7-41e9-8251-2cce4c7f7161/
SH256 hash:
819f04aad6e5928860bc28b2c02bd3661d8a5e91baa2b37dc069e90d9da9ecaa
MD5 hash:
3717c11773a246152805edc12e5d769f
SHA1 hash:
19059dc24f2fe1241f8f0d26f5350ac2fafe404b
Link:
https://www.unpac.me/results/7df9e8e6-b9d7-41e9-8251-2cce4c7f7161/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/819f04aad6e5928860bc28b2c02bd3661d8a5e91baa2b37dc069e90d9da9ecaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:win_blacksoul_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.blacksoul.
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 819f04aad6e5928860bc28b2c02bd3661d8a5e91baa2b37dc069e90d9da9ecaa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1470678/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173022/
  
URLhaus
https://urlhaus.abuse.ch/url/1466477/

Comments