MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 8


Intelligence 8 IOCs 2 YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9
SHA3-384 hash: 3c888bbf82d3bcfa673e4b0b5186d7ad02b2abf4b23a4d88932e18e3b6ae5c03a6a987feea92f520b2dbd3937bde0686
SHA1 hash: f6f8afeb484a31a1ecf1e24fda0d73dd193dd620
MD5 hash: aa1814d8e157a27583353e7a95f8a737
humanhash: arizona-don-zulu-river
File name:aa1814d8e157a27583353e7a95f8a737.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:380'416 bytes
First seen:2021-05-13 15:00:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 14135f6a5e846bae3f31d08adeeaff44 (1 x CryptBot)
ssdeep 6144:J0ocipmBmEY1948jHKuraPG6r7V03pjj91Qx7IHYIaktXU:hcipmBmEK5TKUaJPV+jRix1z
Threatray 563 similar samples on MalwareBazaar
TLSH B0849E30A680C036F5F711F849BB977CA5397EA06B64A1CB52D427EE16346E5BC30E87
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://remdny42.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://remdny42.top/index.php https://threatfox.abuse.ch/ioc/40348/
http://morpgr04.top/index.php https://threatfox.abuse.ch/ioc/40349/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa1814d8e157a27583353e7a95f8a737.exe
Verdict:
Malicious activity
Analysis date:
2021-05-13 15:10:04 UTC
Tags:
trojan evasion loader ficker stealer
Link:
https://app.any.run/tasks/e644a477-b9af-47a9-8fe1-8c70ad6d86a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156238/
Detection(s):
Win.Packed.Pwsx-9859723-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Unauthorized injection to a recently created process
Result
Threat name:
Cryptbot Ficker Stealer Glupteba
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/781159
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Cryptbot
Yara detected Ficker Stealer
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 413561 Sample: Mjw2eO99E5.exe Startdate: 13/05/2021 Architecture: WINDOWS Score: 100 56 remdny42.top 2->56 58 morpgr04.top 2->58 60 4 other IPs or domains 2->60 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 12 other signatures 2->80 9 Mjw2eO99E5.exe 29 2->9         started        signatures3 process4 dnsIp5 68 g-clean.in 8.209.75.180, 49722, 49723, 49726 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 9->68 70 iplogger.org 88.99.66.31, 443, 49748, 49749 HETZNER-ASDE Germany 9->70 72 3 other IPs or domains 9->72 48 C:\Users\user\AppData\...\74875097621.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\...\73909603964.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\...\07945436821.exe, PE32 9->52 dropped 54 6 other files (4 malicious) 9->54 dropped 100 Detected unpacking (changes PE section rights) 9->100 102 Detected unpacking (overwrites its own PE header) 9->102 104 May check the online IP address of the machine 9->104 14 cmd.exe 9->14         started        16 cmd.exe 9->16         started        18 WerFault.exe 9 9->18         started        21 7 other processes 9->21 file6 signatures7 process8 file9 23 74875097621.exe 14->23         started        26 conhost.exe 14->26         started        28 73909603964.exe 16->28         started        30 conhost.exe 16->30         started        38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->44 dropped 46 3 other malicious files 21->46 dropped 32 conhost.exe 21->32         started        process10 signatures11 90 Detected unpacking (changes PE section rights) 23->90 92 Detected unpacking (overwrites its own PE header) 23->92 94 May check the online IP address of the machine 23->94 98 2 other signatures 23->98 34 74875097621.exe 23->34         started        96 Tries to harvest and steal browser information (history, passwords, etc) 28->96 process12 dnsIp13 62 truzen.space 62.113.117.9, 49742, 49751, 80 VDSINA-ASRU Russian Federation 34->62 64 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.144.221, 49741, 80 AMAZON-AESUS United States 34->64 66 2 other IPs or domains 34->66 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->82 84 Tries to steal Instant Messenger accounts or passwords 34->84 86 Tries to harvest and steal browser information (history, passwords, etc) 34->86 88 Tries to harvest and steal Bitcoin Wallet information 34->88 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9/
Threat name:
Win32.Ransomware.Sodinokibi
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 04:39:00 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqefxnszdzoxwccg5wr5o5mkdsecxz7vx6zveegighoffbemn6uq._file
Verdict:
malicious
Similar samples:
2051799f92fd036d6e1c8a9c06a4aea85a9509214cd0623c0df2fe62bd99986b
CryptBot
65cb803d8339bc32863bd557a882cf2016ad7945b18f344aeb94860ca8f6b235
CryptBot
8a9ed010aa3db217f81dfa4d928863eef5cac1165dab6c03258948b8ef019435
CryptBot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
CryptBot
a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
CryptBot
acf5a0702538d69871c917a13a45effbcc2dd9161578b270a6b56f8447062dbf
CryptBot
bd7c41dee6aba2b2d13e5ae39169242ed463a43366eec28a438f74db717d15f4
CryptBot
e9da1da3a4fb2050b9b17f5dbb1dd5f334f22637fc8186052d152cc631839f9b
CryptBot
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
CryptBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
CryptBot
+ 553 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210513-ydgelyl99j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
Downloads MZ/PE file
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/156238/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-13 16:06:28 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0045] File System Micro-objective::Copy File
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0033] Operating System Micro-objective::Console
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0040] Process Micro-objective::Allocate Thread Local Storage
15) [C0043] Process Micro-objective::Check Mutex
16) [C0042] Process Micro-objective::Create Mutex
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process