MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 884837b998040b03adc5dead61073ad9314ef82754ae0cb415e685297f25a776. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 884837b998040b03adc5dead61073ad9314ef82754ae0cb415e685297f25a776
SHA3-384 hash: c31f72ebe43a3fd722ee5cb592a4391674031f3f69a43e565dc8f10ba76834ca8ec08fe24112b6202ca364f13c32f18f
SHA1 hash: e54c1ac865da556c10dd82b40f9257f34ab10d74
MD5 hash: 55cbdd54452f5a937b4d21384e0c815d
humanhash: ten-north-twelve-steak
File name:55cbdd54452f5a937b4d21384e0c815d.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:642'560 bytes
First seen:2021-03-29 07:12:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b9a4302f0d59f5d4c40f6b7b971caa9 (1 x CryptBot, 1 x ArkeiStealer)
ssdeep 12288:TxppfcauCX2Fb3JAMsPfCD1g9tdoXe1F0K/hFGnm0XwKMpwpTl:TGauCX2Fb36MsPmg9Ysu1gnG
Threatray 100 similar samples on MalwareBazaar
TLSH C2D41231F5D2C133E65605724856C270063AFCA09B21B7CB3BD46B6E9F362D28A7A747
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://akauk09.top/downfiles/file.exe
Verdict:
Malicious activity
Analysis date:
2021-03-28 16:44:37 UTC
Tags:
stealer trojan loader autoit evasion
Link:
https://app.any.run/tasks/706d916c-fcdf-4ad8-930b-7f802b2f7c54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127483/
Detection(s):
SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL
Create hunting rule

Win.Dropper.Ursnif-9847634-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Delayed reading of the file
Reading critical registry keys
Creating a window
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Stealing user critical data
Launching the process to create tasks for the scheduler
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac82860c-7367-4e80-a8d0-1a8111daf87a
Result
Threat name:
Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656524
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377196 Sample: Ypp2jYNpAI.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for URL or domain 2->105 107 Multi AV Scanner detection for dropped file 2->107 109 11 other signatures 2->109 12 Ypp2jYNpAI.exe 49 2->12         started        17 SmartClock.exe 2->17         started        19 SmartClock.exe 2->19         started        process3 dnsIp4 87 akshj10.top 35.242.170.33, 49702, 49703, 80 GOOGLEUS United States 12->87 89 moriol07.top 34.65.191.195, 49700, 49701, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->89 91 bavyf72.top 12->91 77 C:\Users\user\AppData\Local\Temp\Paltus.exe, PE32 12->77 dropped 79 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->79 dropped 129 Detected unpacking (changes PE section rights) 12->129 131 Detected unpacking (overwrites its own PE header) 12->131 133 Tries to harvest and steal browser information (history, passwords, etc) 12->133 21 Paltus.exe 20 12->21         started        25 cmd.exe 1 12->25         started        file5 signatures6 process7 file8 67 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 21->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 21->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 21->71 dropped 73 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 21->73 dropped 113 Multi AV Scanner detection for dropped file 21->113 115 Machine Learning detection for dropped file 21->115 27 vpn.exe 7 21->27         started        29 4.exe 4 21->29         started        32 6.exe 3 21->32         started        117 Submitted sample is a known malware sample 25->117 119 Obfuscated command line found 25->119 121 Uses ping.exe to sleep 25->121 123 Uses ping.exe to check the status of other devices and networks 25->123 34 conhost.exe 25->34         started        36 timeout.exe 1 25->36         started        signatures9 process10 file11 38 cmd.exe 1 27->38         started        40 at.exe 1 27->40         started        81 C:\Users\user\AppData\...\SmartClock.exe, PE32 29->81 dropped 42 SmartClock.exe 29->42         started        process12 process13 44 cmd.exe 3 38->44         started        47 conhost.exe 38->47         started        49 conhost.exe 40->49         started        signatures14 125 Obfuscated command line found 44->125 127 Uses ping.exe to sleep 44->127 51 Suo.exe.com 44->51         started        54 PING.EXE 44->54         started        57 findstr.exe 44->57         started        process15 dnsIp16 111 May check the online IP address of the machine 51->111 60 Suo.exe.com 51->60         started        83 127.0.0.1 unknown unknown 54->83 85 192.168.2.1 unknown unknown 54->85 75 C:\Users\user\AppData\Roaming\...\Suo.exe.com, Targa 57->75 dropped file17 signatures18 process19 dnsIp20 93 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 60->93 95 ZbMBYMOhExfgYPJhZS.ZbMBYMOhExfgYPJhZS 60->95 63 wscript.exe 60->63         started        process21 dnsIp22 97 iplogger.org 88.99.66.31, 443, 49709 HETZNER-ASDE Germany 63->97 99 System process connects to network (likely due to code injection or exploit) 63->99 101 May check the online IP address of the machine 63->101 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/884837b998040b03adc5dead61073ad9314ef82754ae0cb415e685297f25a776/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 12:17:38 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbedpomyaqfqhlof32wwcbz23eyu56bhksxaznav42css7zfu53a._file
Verdict:
malicious
Similar samples:
08c4b529de76e13d9b005b84f70d3338685a7bad66b30816d839e7d4bffd14f7
CryptBot
1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
CryptBot
3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c169c9fb4adb317f1d571f
CryptBot
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
CryptBot
39a27d15f3d6175331a974825a440d7475187bae0c133a48a1a5155b49a82537
CryptBot
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe
CryptBot
7b55f92633f9e8b7aad9234dd19148549c4b068f8199bb2ea4cfa6ef3175e569
CryptBot
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
CryptBot
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
CryptBot
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
CryptBot
+ 90 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210329-xe4p6r1g42/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
e9c743133a450c6dbc187184b7ca7034b97d1abd3e538113645a2a83fd659829
MD5 hash:
a24f8ad6f76e7bd8cac0debd19579aba
SHA1 hash:
94508f6d5e8aa813c03b6a92c2ade26f23c1b6ed
Link:
https://www.unpac.me/results/1d0a25c9-7d55-460f-b3b6-1b398665281b/
SH256 hash:
884837b998040b03adc5dead61073ad9314ef82754ae0cb415e685297f25a776
MD5 hash:
55cbdd54452f5a937b4d21384e0c815d
SHA1 hash:
e54c1ac865da556c10dd82b40f9257f34ab10d74
Link:
https://www.unpac.me/results/1d0a25c9-7d55-460f-b3b6-1b398665281b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/884837b998040b03adc5dead61073ad9314ef82754ae0cb415e685297f25a776

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 884837b998040b03adc5dead61073ad9314ef82754ae0cb415e685297f25a776

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095248/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127483/

Comments