MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 820194153174a679179e3649a4ebac8f39b4fefd2836d19ae1241e4e520fae26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 820194153174a679179e3649a4ebac8f39b4fefd2836d19ae1241e4e520fae26
SHA3-384 hash: de5fe3ab5efc4af5e6a425298900db98e72ada1d3d2d7a86cedc44df7f287bd19946296b04c493ea8c6f057cb001e88f
SHA1 hash: 6167fdf3cd9a585a44f24eb15d414281edad2485
MD5 hash: 663fdf847d6b11308415ff86ebffc275
humanhash: neptune-nevada-tennessee-equal
File name:663fdf847d6b11308415ff86ebffc275.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:375'296 bytes
First seen:2021-06-27 17:35:40 UTC
Last seen:2021-06-27 18:38:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fb94e546a8dcb99d56b1ea3cb0a469de (2 x DarkVNC, 1 x ArkeiStealer, 1 x CryptBot)
ssdeep 6144:p9ooz9blUiqVIqHsy6W8ud2hEHrFcpDh+jCvOYzfYFVB:p9oophqrsPW8udyEHrFhQOzj
Threatray 695 similar samples on MalwareBazaar
TLSH 9684AD2132E0C072E1B32A394975D7B54BBBB4726B71A6CF6BC40A795F257C19A3130B
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://cypqnh72.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cypqnh72.top/index.php https://threatfox.abuse.ch/ioc/154465/
http://morcou07.top/index.php https://threatfox.abuse.ch/ioc/154466/

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bce9a372__bioshock-remast.zip
Verdict:
Malicious activity
Analysis date:
2021-06-24 02:26:38 UTC
Tags:
loader evasion trojan rat redline stealer vidar ficker phishing
Link:
https://app.any.run/tasks/a911113a-efc2-4893-b1e5-8d80c0d19e6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.103.28306.18382.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63511376-f99a-4e45-8312-0f119eb2080d
Result
Threat name:
Cryptbot Glupteba RedLine
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808598
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Cryptbot
Yara detected Evader
Yara detected Glupteba
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 441009 Sample: nxinF8KuKS.exe Startdate: 27/06/2021 Architecture: WINDOWS Score: 100 62 tHVTkijeiN.tHVTkijeiN 2->62 84 Multi AV Scanner detection for domain / URL 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 16 other signatures 2->90 8 nxinF8KuKS.exe 29 2->8         started        signatures3 process4 dnsIp5 78 dugudj10.top 47.243.129.23, 49742, 49744, 49745 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 8->78 80 g-partners.in 8->80 82 4 other IPs or domains 8->82 54 C:\Users\user\AppData\...\38027947950.exe, PE32 8->54 dropped 56 C:\Users\user\AppData\...\29672958956.exe, PE32 8->56 dropped 58 C:\Users\user\AppData\...\19409539367.exe, PE32 8->58 dropped 60 6 other files (5 malicious) 8->60 dropped 112 May check the online IP address of the machine 8->112 13 cmd.exe 8->13         started        15 cmd.exe 8->15         started        17 cmd.exe 8->17         started        19 10 other processes 8->19 file6 signatures7 process8 file9 23 29672958956.exe 13->23         started        28 conhost.exe 13->28         started        30 19409539367.exe 15->30         started        32 conhost.exe 15->32         started        34 38027947950.exe 17->34         started        36 conhost.exe 17->36         started        40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->44 dropped 46 6 other malicious files 19->46 dropped 92 Tries to evade analysis by execution special instruction which cause usermode exception 19->92 38 conhost.exe 19->38         started        signatures10 process11 dnsIp12 64 4amsaatchihn.com 192.185.16.56, 443, 49768 UNIFIEDLAYER-AS-1US United States 23->64 66 86.107.197.64, 30152, 49755 MOD-EUNL Romania 23->66 68 api.ip.sb 23->68 48 C:\Users\user\AppData\Local\...\newklip.exe, PE32 23->48 dropped 50 C:\Users\user\AppData\...\29672958956.exe.log, ASCII 23->50 dropped 94 Detected unpacking (changes PE section rights) 23->94 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->96 98 Query firmware table information (likely to detect VMs) 23->98 108 5 other signatures 23->108 76 2 other IPs or domains 30->76 100 Detected unpacking (overwrites its own PE header) 30->100 102 May check the online IP address of the machine 30->102 104 Creates HTML files with .exe extension (expired dropper behavior) 30->104 110 2 other signatures 30->110 70 morcou07.top 167.71.52.124 DIGITALOCEAN-ASNUS United States 34->70 72 cypqnh72.top 178.128.161.43 DIGITALOCEAN-ASNUS Netherlands 34->72 74 dugudj10.top 34->74 52 C:\Users\user\AppData\Local\...\anFanjEi.exe, PE32 34->52 dropped 106 Tries to harvest and steal browser information (history, passwords, etc) 34->106 file13 signatures14
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/820194153174a679179e3649a4ebac8f39b4fefd2836d19ae1241e4e520fae26/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 10:26:04 UTC
AV detection:
35 of 46 (76.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qiazifjrosthsf46gze2j25mr443j7x5fa3ndgxbeqpe4uqpvyta._file
Verdict:
malicious
Similar samples:
16a9f456fe7c58b1f5b40f8bdda1f383e6cd9a633c2e44a386bee0a4b6c10d87
CryptBot
34cfa360c2efd052e71a29f2091723206cf2a74dc87c64b1d617e822f69b7180
CryptBot
5f70533863edb6571d58b52d9ff6a95dc8c34842e29076c9939e99e31bf782ee
CryptBot
8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9
CryptBot
a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b
CryptBot
b6f7d08666ed5c5309dbd3902783735ee77c1d8ab19e410af5c687488f21557e
CryptBot
dab1943418275fa0a684702d291fa2fd693bebc19b99f7af9ad8dc3dd0a47cb5
CryptBot
dda0eb627c08fbaa30cedd995f53ded1902e447c543a00f5950812dce24a9009
CryptBot
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
CryptBot
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
CryptBot
+ 685 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline family:vidar discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210627-qxas8nr2le/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
CryptBot
CryptBot Payload
RedLine
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
cypqnh72.top
morcou07.top
Unpacked files
SH256 hash:
f2c40ac86d73a6c1183fed1ad7276bff2a7cf9c36d4f6a4fd0e1b93978771ffb
MD5 hash:
d18508f886636691510ead36dd5f5f7c
SHA1 hash:
ab85bf7924589df3b802899cfffdeda4a1965a4a
Link:
https://www.unpac.me/results/c985014d-eca3-4983-a992-886acbe54752/
SH256 hash:
820194153174a679179e3649a4ebac8f39b4fefd2836d19ae1241e4e520fae26
MD5 hash:
663fdf847d6b11308415ff86ebffc275
SHA1 hash:
6167fdf3cd9a585a44f24eb15d414281edad2485
Link:
https://www.unpac.me/results/c985014d-eca3-4983-a992-886acbe54752/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/820194153174a679179e3649a4ebac8f39b4fefd2836d19ae1241e4e520fae26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments