MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b7ecaa0849028572361c41866bc0acb5d5f1debcfe1e0762d445b759badbd8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b7ecaa0849028572361c41866bc0acb5d5f1debcfe1e0762d445b759badbd8b
SHA3-384 hash: 36af37b410773cb695e3bd6e0b0839d2e1474fb669b5d38c770545e6387a8ef717ec35d2881b951a6018ce3724851905
SHA1 hash: 6efa61ca7391dc53ad561b95b6552e54c9fd409f
MD5 hash: 918695ad1a945cb75e84a475504d5355
humanhash: white-maryland-four-five
File name:0x000100000001ab76-128.dat
Download: download sample
Signature CryptBot
Create hunting rule
File size:288'256 bytes
First seen:2021-07-28 16:59:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fdf275278b640b60b73411e8ed566cf (2 x CryptBot, 2 x RaccoonStealer, 1 x Loki)
ssdeep 6144:hyrHRTuYO1VuEoIeeQ7b9WHZSnl0ebS/ErKaSo:eHRSYOnuue9f9yZWhbuH
Threatray 168 similar samples on MalwareBazaar
TLSH T11654BF20B6E0C035F1F712F849BA93ACA93D7FB15B2491CB62D526EA56356E4DC30387
dhash icon 3661dcbc64dcf166 (1 x CryptBot, 1 x RedLineStealer)
Reporter CholeVallabh
Tags:CryptBot exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sonia_6.txt
Verdict:
Malicious activity
Analysis date:
2021-07-28 16:32:41 UTC
Tags:
evasion trojan kelihos autoit loader stealer raccoon rat redline phishing vidar keylogger agenttesla
Link:
https://app.any.run/tasks/8097c5e7-35dd-400b-ba3f-13f6d464f383

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174731/
Detection(s):
Win.Malware.Generic-9881904-0
Create hunting rule

Win.Malware.Generic-9881959-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4ba53a0-f747-4178-a1e2-47bb2e238c4a
Result
Threat name:
Cryptbot Ficker Stealer Glupteba Raccoon
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823240
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected Autohotkey Downloader Generic
Yara detected Cryptbot
Yara detected Evader
Yara detected Ficker Stealer
Yara detected Glupteba
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455649 Sample: 0x000100000001ab76-128.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 75 nULmPlSLTBiT.nULmPlSLTBiT 2->75 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 14 other signatures 2->109 10 0x000100000001ab76-128.exe 29 2->10         started        signatures3 process4 dnsIp5 93 winxob04.top 45.131.46.175, 49737, 49738, 49741 NTC-ASRU Russian Federation 10->93 95 gc-prtnrs.top 95.181.179.21, 49722, 80 NEOHOST-ASUA Russian Federation 10->95 97 3 other IPs or domains 10->97 67 C:\Users\user\AppData\...\51627586652.exe, PE32 10->67 dropped 69 C:\Users\user\AppData\...\18014783385.exe, PE32 10->69 dropped 71 C:\Users\user\AppData\...\16501099928.exe, PE32 10->71 dropped 73 6 other files (none is malicious) 10->73 dropped 123 May check the online IP address of the machine 10->123 15 cmd.exe 10->15         started        17 cmd.exe 10->17         started        19 cmd.exe 10->19         started        21 8 other processes 10->21 file6 signatures7 process8 dnsIp9 24 16501099928.exe 15->24         started        29 conhost.exe 15->29         started        31 51627586652.exe 17->31         started        33 conhost.exe 17->33         started        35 18014783385.exe 19->35         started        37 conhost.exe 19->37         started        77 192.168.2.1 unknown unknown 21->77 39 conhost.exe 21->39         started        41 taskkill.exe 21->41         started        process10 dnsIp11 79 iplogger.org 24->79 81 dahgarq.top 24->81 53 C:\Users\user\AppData\...\apineshpp.exe, PE32 24->53 dropped 111 Detected unpacking (changes PE section rights) 24->111 113 Detected unpacking (overwrites its own PE header) 24->113 115 May check the online IP address of the machine 24->115 121 2 other signatures 24->121 43 apineshpp.exe 24->43         started        83 telete.in 195.201.225.248, 443, 49746 HETZNER-ASDE Germany 31->83 85 34.141.84.7, 49747, 80 ATGS-MMD-ASUS United States 31->85 55 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->55 dropped 57 C:\Users\user\AppData\...\ucrtbase.dll, PE32 31->57 dropped 59 C:\Users\user\AppData\...\softokn3.dll, PE32 31->59 dropped 65 56 other files (none is malicious) 31->65 dropped 117 Tries to steal Mail credentials (via file access) 31->117 47 cmd.exe 31->47         started        87 ewayab32.top 185.147.128.78, 49758, 80 INETTECH-ASRU Russian Federation 35->87 89 morxeg03.top 142.11.209.158, 49759, 80 HOSTWINDSUS United States 35->89 91 2 other IPs or domains 35->91 61 C:\Users\user\AppData\Local\Temp\Filett.exe, PE32 35->61 dropped 63 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 35->63 dropped 119 Tries to harvest and steal browser information (history, passwords, etc) 35->119 file12 signatures13 process14 dnsIp15 99 185.215.113.17, 18597, 49754 WHOLESALECONNECTIONSNL Portugal 43->99 101 api.ip.sb 43->101 125 Detected unpacking (changes PE section rights) 43->125 127 Detected unpacking (overwrites its own PE header) 43->127 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->129 131 3 other signatures 43->131 49 conhost.exe 47->49         started        51 timeout.exe 47->51         started        signatures16 process17
Gathering data
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 09:47:54 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
CryptBot
261728fc1400289488ed7168916b8752a2633c638724cb1653f671568437545c
CryptBot
29ea1afb7eff9de6e637ef41710bf77b0d6292c688a5478edd230d08f29d7502
CryptBot
377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
CryptBot
3cee28ef52c59c99b841c6927f5085e483523cb8b606ff9ce5d60b3c13574545
CryptBot
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
CryptBot
af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
CryptBot
b7199db0d7684129b6b6b11a90b74867d0d19ba569a8ae82694eb626bdffcd2b
CryptBot
c7dac0da25d58206459be8af996568547c3df0f76149c741e607249af4c47a67
CryptBot
ffd34b321cc06d7af0ade5bbef7db266c91382c5ec49937f14475e974f9bf608
CryptBot
+ 158 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210728-4tt1aanj4s/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
suricata: ET MALWARE GCleaner Downloader Activity M1
Unpacked files
SH256 hash:
2435f4885bf105796691b2e6536ea2347906cb2bbbd2d51e22094220f137b81e
MD5 hash:
379c61b9c72d4051bd1d745c7f465130
SHA1 hash:
da7212e88ff1b721b7ef86ace2fc49f20ff02ac9
Link:
https://www.unpac.me/results/18bfdbec-a951-432b-85a0-584bff5823c7/
SH256 hash:
8b7ecaa0849028572361c41866bc0acb5d5f1debcfe1e0762d445b759badbd8b
MD5 hash:
918695ad1a945cb75e84a475504d5355
SHA1 hash:
6efa61ca7391dc53ad561b95b6552e54c9fd409f
Link:
https://www.unpac.me/results/18bfdbec-a951-432b-85a0-584bff5823c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b7ecaa0849028572361c41866bc0acb5d5f1debcfe1e0762d445b759badbd8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174731/

Comments