MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dafc7d2a776d705584d34557f2c57df2a44b0ace06893eb60b4418e3b2adda1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dafc7d2a776d705584d34557f2c57df2a44b0ace06893eb60b4418e3b2adda1
SHA3-384 hash: 4ab7fd8d9d271de4335b3953534520ea4231026bd26f8da2a450ec7e481186ff2038958b6f9c0855543efacf55de603e
SHA1 hash: ed5a2eb4d6eec86e3290420f679f04308d5a3ef5
MD5 hash: 37ca1e787d3a4e6de080805dc86d04ee
humanhash: don-pip-mango-lamp
File name:37ca1e787d3a4e6de080805dc86d04ee
Download: download sample
Signature CryptBot
Create hunting rule
File size:416'768 bytes
First seen:2021-12-20 14:23:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02ee6c54d3ab44fde3432ebbac068962 (4 x RedLineStealer, 2 x ArkeiStealer, 2 x Smoke Loader)
ssdeep 6144:4qfVDGiKgQu8noiCqHCTwIAWxlgQe6NL78xyGKe:4q67Tu5iTiTwIAWxiQe6p8xyG
Threatray 8'298 similar samples on MalwareBazaar
TLSH T12B94BF1066A0C034F1B316F85A7593B9AA3F3DE1972494CF22D93AEE5674AD0EC3074B
File icon (PE):PE icon
dhash icon 2dac1370399b9b91 (45 x RedLineStealer, 35 x Smoke Loader, 19 x Amadey)
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215477/
Detection(s):
Win.Malware.Sabsik-9916500-0
Create hunting rule

Win.Malware.Sabsik-9916837-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP POST request
Reading critical registry keys
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Creating a file in the Program Files subdirectories
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for analyzing tools
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2762/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61c092068991ba72b38e9b0c/reports/4442f753-510d-42c2-8842-7fe5d9bda53f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88f3d1f3-e0e9-437b-aa69-7a82d283a634
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910305
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 542783 Sample: 4XvLsPHPhE Startdate: 20/12/2021 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Antivirus detection for URL or domain 2->67 69 Antivirus detection for dropped file 2->69 71 11 other signatures 2->71 8 4XvLsPHPhE.exe 46 2->8         started        process3 dnsIp4 55 lionek12.top 45.141.102.1, 49823, 49824, 80 MTW-ASRU Russian Federation 8->55 57 morjey01.top 109.71.254.109, 49822, 80 LINSERVERSNL Germany 8->57 59 daibly12.top 91.224.22.81, 49821, 80 AS-REGRU Russian Federation 8->59 41 C:\Users\user\AppData\Local\Temp\File.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\maysin[1].exe, PE32 8->43 dropped 87 Detected unpacking (changes PE section rights) 8->87 89 Detected unpacking (overwrites its own PE header) 8->89 91 Self deletion via cmd delete 8->91 93 Tries to harvest and steal browser information (history, passwords, etc) 8->93 13 File.exe 25 8->13         started        18 cmd.exe 1 8->18         started        file5 signatures6 process7 dnsIp8 63 192.168.2.1 unknown unknown 13->63 45 C:\Users\user\AppData\Local\...\outwitvp.exe, PE32 13->45 dropped 47 C:\Users\user\AppData\Local\...\napaea.exe, PE32 13->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 13->49 dropped 51 3 other files (none is malicious) 13->51 dropped 95 Multi AV Scanner detection for dropped file 13->95 97 Machine Learning detection for dropped file 13->97 20 napaea.exe 7 13->20         started        24 outwitvp.exe 3 18 13->24         started        27 conhost.exe 18->27         started        29 timeout.exe 1 18->29         started        file9 signatures10 process11 dnsIp12 37 C:\Users\user\AppData\...\DpEditor.exe, PE32 20->37 dropped 73 Antivirus detection for dropped file 20->73 75 Multi AV Scanner detection for dropped file 20->75 77 Query firmware table information (likely to detect VMs) 20->77 79 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->79 31 DpEditor.exe 20->31         started        61 ip-api.com 208.95.112.1, 49848, 80 TUT-ASUS United States 24->61 39 C:\Users\user\AppData\Local\...\uyavqprfj.vbs, ASCII 24->39 dropped 81 May check the online IP address of the machine 24->81 83 Machine Learning detection for dropped file 24->83 85 Hides threads from debuggers 24->85 34 wscript.exe 12 24->34         started        file13 signatures14 process15 dnsIp16 99 Query firmware table information (likely to detect VMs) 31->99 101 Hides threads from debuggers 31->101 103 Tries to detect sandboxes / dynamic malware analysis system (registry check) 31->103 53 iplogger.org 148.251.234.83, 443, 49852 HETZNER-ASDE Germany 34->53 105 System process connects to network (likely due to code injection or exploit) 34->105 107 May check the online IP address of the machine 34->107 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dafc7d2a776d705584d34557f2c57df2a44b0ace06893eb60b4418e3b2adda1/
Threat name:
Win32.Trojan.CryptBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 12:40:38 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwx4puvho3lqkwcngrkx6lcx34vejmfm4bujh23awray4ozk3wqq._file
Verdict:
malicious
Similar samples:
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1
CryptBot
42173b9b5ae6bcec8b65312e270633a3df6fa4355c9ac4973486291f0fcd8052
CryptBot
6319b895e7a61947bfa702bf9f092d585f76a983666bbceb8d6dcbabe50e330d
CryptBot
879305570a2b3dbe710ddd09445db20a1159696a6c72a503135db8eaef5eecb7
CryptBot
b0884a21366325f9e9242b357e7f3d5acf63b7b38e02988e1c1f3454230b5877
CryptBot
ba9547aac21a5bf2e5220d529b5f79bcb1bf1066824ac8fc3d2074cec2944dbe
CryptBot
dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0
CryptBot
df7841fad13bb90a108a0861c92c565ad754528e684600ad07011cd4e83f1a63
CryptBot
ee53cf56f393658949e4756c48e63e0c02542c1403c87e72d926bfb6b0306809
CryptBot
+ 8'288 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot botnet:4 banker discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211220-rqp44sbfar/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
daibly12.top
morjey01.top
142.11.244.223:443
23.106.122.139:443
Unpacked files
SH256 hash:
0bc4bed06bd76369ad8a6f0a1da2d42e2d11ec0ca15b4a8a55d9ba267f2890c7
MD5 hash:
ea5aecedbb3e319ccafee21e3e6d1692
SHA1 hash:
98ab65e21ec8cf64944b15196297f92695535aa4
Link:
https://www.unpac.me/results/8f4365d1-80ee-47a3-85bb-9151b8293d0e/
SH256 hash:
8dafc7d2a776d705584d34557f2c57df2a44b0ace06893eb60b4418e3b2adda1
MD5 hash:
37ca1e787d3a4e6de080805dc86d04ee
SHA1 hash:
ed5a2eb4d6eec86e3290420f679f04308d5a3ef5
Link:
https://www.unpac.me/results/8f4365d1-80ee-47a3-85bb-9151b8293d0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8dafc7d2a776d705584d34557f2c57df2a44b0ace06893eb60b4418e3b2adda1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 8dafc7d2a776d705584d34557f2c57df2a44b0ace06893eb60b4418e3b2adda1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1901451/
Cape
Cape
https://www.capesandbox.com/analysis/215477/

Comments


Avatar
zbet commented on 2021-12-20 14:23:52 UTC

url : hxxp://liogak02.top/download.php?file=file.exe