MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c57bc7023c1b437b8bb49c9d9f1e41f63805b441a4365dd2ff33d5252078a83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c57bc7023c1b437b8bb49c9d9f1e41f63805b441a4365dd2ff33d5252078a83
SHA3-384 hash: af3c0c00711e2b14f071077fcad07ad570b4339948b236d71b66efb21ab5f5e5cfd0f45afe8d7e4a4421fd89b97bc123
SHA1 hash: 99c5631c8f4fbddcaecf8c0cf340a9ec8c6b2fc5
MD5 hash: a196e5e1c8968c6f2837b003ac87b265
humanhash: lamp-friend-butter-violet
File name:a196e5e1c8968c6f2837b003ac87b265.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'872'636 bytes
First seen:2022-09-29 10:48:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:A6Pa0RwWqIxqhJbWq7aEB2GSPXnQqgEdf34afUE:facwWqIkhJbI22/PXnQGx34acE
Threatray 1'743 similar samples on MalwareBazaar
TLSH T18285231179C04172E5B31E3456E9A730993C7D206B3ACA9FA7A43E2E0E309D17B357A7
TrID 80.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
9.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
3.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314727/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.4.16808.10588.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39950/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63357821d5955f6f49d54c12/reports/402301b8-f320-498c-ad96-3393e5b0093f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fd27a6c3-4934-4d78-b822-5844c201386e
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1079963
Signature
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 712516 Sample: DVtZjVDGUV.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 76 23 Multi AV Scanner detection for dropped file 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected CryptOne packer 2->27 29 2 other signatures 2->29 9 DVtZjVDGUV.exe 3 8 2->9         started        process3 file4 21 C:\Users\user\AppData\Local\...\k9VxVaoX.cpl, PE32 9->21 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        signatures7 31 Contains functionality to detect sleep reduction / modifications 14->31 17 rundll32.exe 14->17         started        process8 process9 19 rundll32.exe 17->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c57bc7023c1b437b8bb49c9d9f1e41f63805b441a4365dd2ff33d5252078a83/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 22:04:42 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrl3y4bdyg2dpof3jhe5t4ped5ryaw2edjbwlxjp6m6veuqhrkbq._file
Verdict:
malicious
Similar samples:
1d72c0d76801a1f047049dd202dd380af90f3e31d6801b1e7a5bc3c3e1d711d2
CryptBot
7147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
CryptBot
9cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
CryptBot
ab7553549ec32422ee868e71eb96fae87439a4c1333e400d455f31d0b74c8ef2
CryptBot
b38b6f65ea22d5f5b8c1a3a7073c2743c746e2f24a30290353a86fedc078c5b4
CryptBot
b7b8931f7442c2cff8c9df6a8a216ed280c7ea29ea97c30e3147c99a991df0cd
CryptBot
c30aa98a123e2dfaee73e1f0145d014ff781687184578d6cbd98a45c81d288d4
CryptBot
e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e
CryptBot
+ 1'733 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220929-mwnq1sbefl/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e3ca626-4d88-493f-a84c-c8997d810a93
Unpacked files
SH256 hash:
49ca130cf38aedbd812945135f9530e8cd9da8578db41aaf8404390c320cb656
MD5 hash:
2119a85723b12b9fd5f2b0a02e61b7eb
SHA1 hash:
6937fe1e75170580be2a26e945bf3b37373cba6b
Link:
https://www.unpac.me/results/cff9cdbb-1157-4817-ae18-18ed0dd331ef/
SH256 hash:
e7e84bc01cc3acfc7c3dff39d23967432e8ee52709921637eabfed5cfb1775eb
MD5 hash:
800570dd434f1a9e2cc4e62cb2038f28
SHA1 hash:
a2b1eaedba1124eb3d94095c15b4444328ebd446
Link:
https://www.unpac.me/results/cff9cdbb-1157-4817-ae18-18ed0dd331ef/
SH256 hash:
8c57bc7023c1b437b8bb49c9d9f1e41f63805b441a4365dd2ff33d5252078a83
MD5 hash:
a196e5e1c8968c6f2837b003ac87b265
SHA1 hash:
99c5631c8f4fbddcaecf8c0cf340a9ec8c6b2fc5
Link:
https://www.unpac.me/results/cff9cdbb-1157-4817-ae18-18ed0dd331ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c57bc7023c1b437b8bb49c9d9f1e41f63805b441a4365dd2ff33d5252078a83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 8c57bc7023c1b437b8bb49c9d9f1e41f63805b441a4365dd2ff33d5252078a83

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2314911/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2313342/
Cape
Cape
https://www.capesandbox.com/analysis/314727/

Comments