MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88a2e91597137f9a64ccf66c89390c533d1a85d09f8310b658f73bf6ad45db2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88a2e91597137f9a64ccf66c89390c533d1a85d09f8310b658f73bf6ad45db2a
SHA3-384 hash: 735a2da5e58e5d23410c9e403e31cd03e4fa07ba4e03d4d408e50d5bbecfb9405d3f0affc0cf97f74c2d5c349a6b18c5
SHA1 hash: 780fd038bb466c60140ecce80740c17850e95423
MD5 hash: b6c970046cdf3da19838d0114c993372
humanhash: quiet-texas-six-lithium
File name:b6c970046cdf3da19838d0114c993372.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'934'958 bytes
First seen:2021-07-21 06:18:02 UTC
Last seen:2021-07-21 06:56:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b914b6fd04316572d777593dc737715 (4 x CryptBot, 4 x RedLineStealer, 3 x ServHelper)
ssdeep 49152:q2dYgG58KfbXkV0qnOzioH+UL/8gPUjQgX+QwrhS:qWYgGmKfza0qnObLUWFr8
Threatray 400 similar samples on MalwareBazaar
TLSH T16F95AB12E987836AD493F7F9350DF6744825AC7F07241AC377B4FEC26AE1E858928271
dhash icon f0e8aa868e96d0f0 (1 x CryptBot, 1 x RedLineStealer)
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://moryuf02.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://moryuf02.top/index.php https://threatfox.abuse.ch/ioc/161771/

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6c970046cdf3da19838d0114c993372.exe
Verdict:
Malicious activity
Analysis date:
2021-07-21 06:19:58 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/c242a284-6b2f-45c7-827e-4b51f393fd64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172931/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37270039.2211.14164.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c56b53e-5367-4c31-81a2-aeaf8a05e3d6
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/819342
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451753 Sample: TSlJL2TchX.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 96 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 3 other signatures 2->42 9 TSlJL2TchX.exe 7 2->9         started        process3 signatures4 44 Contains functionality to register a low level keyboard hook 9->44 12 cmd.exe 1 9->12         started        process5 signatures6 46 Submitted sample is a known malware sample 12->46 48 Obfuscated command line found 12->48 50 Uses ping.exe to sleep 12->50 52 Uses ping.exe to check the status of other devices and networks 12->52 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 54 Obfuscated command line found 15->54 56 Uses ping.exe to sleep 15->56 20 PING.EXE 1 15->20         started        23 Uso.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 32 192.168.2.1 unknown unknown 20->32 27 Uso.exe.com 23->27         started        process11 dnsIp12 34 KcPHSPUzLWLBIAVRkCpCYCkNQL.KcPHSPUzLWLBIAVRkCpCYCkNQL 27->34
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88a2e91597137f9a64ccf66c89390c533d1a85d09f8310b658f73bf6ad45db2a/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 19:34:25 UTC
AV detection:
7 of 27 (25.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcrosfmxcn7zuzgm6zwisoimkm6rvboqt6brbnsy6457nlkf3mva._file
Verdict:
malicious
Similar samples:
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
CryptBot
4b21de4f5c03de8e7e85bbdc317bd1050ba7bce099c1ba1cafb949ccadff90a2
CryptBot
6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4
CryptBot
6f8ce60168331070f8ca906c9c5e4d53e22b9b72a57c6e0c65bf6f83979d310f
CryptBot
7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8
CryptBot
78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16
CryptBot
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
CryptBot
e2627edaef3e465cadfb84b250bc0d47cef26af5d2334e5f49ab38d8f919b511
CryptBot
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
CryptBot
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
CryptBot
+ 390 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210721-3xzs3vvrlj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
d0c2208cac9cf894507b4d442c821dc2d85fd7fbb0d0ff5bc181cec4b3bfc6b9
MD5 hash:
7d0827371ad8d2a3c017fdd9b380edd3
SHA1 hash:
c2c1f423b6d22dc91b69e2261bd447e7f9f18640
Link:
https://www.unpac.me/results/3bcbcc3c-718f-4f92-b8b5-fc9b5497dded/
Parent samples :
c9e1de1c6ddd3ffd9c87ebdbcf9bd5b7064af9f60f650ae50573b05a49af8327
1e71bcb4133949eaa1bead27b4e01f03f7802c6b92f61acbb6b8d7c8faf419d7
3ecf5237981fc6575586fe2e13f9afe240b132b58d7bc071296ec3816b150d26
bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772
feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36
f8387262e71195a4db4a0ca0fe68b973e225b8dfe7b475580d19240a760d1e73
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
5e30143f53af82ff891d9801ccff6b30e3dc7f3401bba597accb26e2d3b8b25d
fa5995b67f40f6c2cf7f3edba1e5a2213f2b083a35b13503af7a6203b4b8c33a
a6b218813c937087c078983f17d2520b0c2e7ad5d0cc41bfdf1d0cb540e4470a
440a157bbd8c8332d4edc63e6dc1399777e73bfb7ef3c5a356ab98fa56d1feea
95fb9ca82017f2a6bc59df0d72fc6f90043e135799d25e9922d4943da4c36874
007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512
9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba
c71463ac4fb8dd985b249b61e54888137bea84dab7c202546e230eb450fc0969
34b896d2e6470b2bd8facb9a796e0a521b78ec4956a573b5b38cacdc42622caa
8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e
f6b2cd5327818418db45f70ed99bc6751d836eaf503a9bf33602af0c74f61e83
b426a6cb4005e266bf9b91b30d46fbbd0d6c541ac40d295aa99b8b7ef45e0edf
d43af0c0a5058412c903698b4ac55f150f6a20cac43344b5a596906780dac1f7
b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8
1d40c76cecaabdf1e1d0004aa15cb469aa4374d1d0b2e48a47e588b1f84113d6
afdb413119fa2e0755a4885146d44547b97096d700d2b1236c6aba8f9bb9719d
7e74f3e8d070de8a3d3488dc7e68281d2450f28f79ee84edf3e0ea7c62bd7f91
d11d8d13e611c17ae61db286984170b2eb6802d2c23630e3211b9cfddaef09e6
d1dae6a275073c722606d35b783b4d176c0d8e0feff6c903c27ab9f0f8d7ab07
7c86e8c4143be0e27af9558ca46b3b4d7c5bee5e58e18902757bc02f6a3863a2
28319673d8f382142e223302ede1e0e497ccac2cd7a9814715726335e78c29c7
b130fe2fceada2a1980b6a0015c1bc1a9c1ee08f6229d99e43de82351da541fa
48a4042854a402824d35f4c95aed1e448d652d79ed0c251635acbc073200dfcf
e1f193deaa71595b668320d294635988f66c0f1ab1ab218e08fe3ae87fe10838
90f608b784fc8eac0a899d6aec257ec4beaf836e0cc808c7496f131aba61bef0
8435702911a3d6ebac7acef5aff7bc30395427892c1ddf39647b912a93260258
5bbb7a91ebfa925b0765103006bdde91f19c648ae792fab9dbc73832f3b2423c
SH256 hash:
88a2e91597137f9a64ccf66c89390c533d1a85d09f8310b658f73bf6ad45db2a
MD5 hash:
b6c970046cdf3da19838d0114c993372
SHA1 hash:
780fd038bb466c60140ecce80740c17850e95423
Link:
https://www.unpac.me/results/3bcbcc3c-718f-4f92-b8b5-fc9b5497dded/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88a2e91597137f9a64ccf66c89390c533d1a85d09f8310b658f73bf6ad45db2a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 88a2e91597137f9a64ccf66c89390c533d1a85d09f8310b658f73bf6ad45db2a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393651/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172931/

Comments