MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e8a09fbbc7eddbe0d27909b557a9e185a57eb0be431cb16fa363fd7ca5cd679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e8a09fbbc7eddbe0d27909b557a9e185a57eb0be431cb16fa363fd7ca5cd679
SHA3-384 hash: 8cf9319e4777588465c5529e8e882dee863536c8ec96da1775525fd9a2c6065f45e14ecc3ee4c0bfc10edd03725e52b1
SHA1 hash: 3abe8dee50310403570363420c384f9453cf85ba
MD5 hash: d743980983fcf12b1427f5ea550094da
humanhash: grey-mexico-uncle-butter
File name:d743980983fcf12b1427f5ea550094da
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'688'488 bytes
First seen:2021-06-23 23:32:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 24576:iKi2nDQbqCamjmayj71yOuFvXawBxV1aYDm+vRmj/JIVOJCQwdZ8ffXx5Co1kSiz:iGDQjJdvKI3tqbDJKvx8fPxUS8D9l
Threatray 219 similar samples on MalwareBazaar
TLSH 207523157AFB4439CAA32133A147B7A214FCE6750B2A95C74F909E0B2E777D2CE39109
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d743980983fcf12b1427f5ea550094da
Verdict:
Malicious activity
Analysis date:
2021-06-23 23:34:38 UTC
Tags:
autoit stealer trojan
Link:
https://app.any.run/tasks/c4387b73-a3da-4dfd-8c54-4adf4d4f7c2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f5c68fd-7190-4828-a886-09302724ac6c
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806936
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439347 Sample: 2dVUbvH1g4 Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 5 other signatures 2->46 9 2dVUbvH1g4.exe 7 2->9         started        process3 signatures4 48 Contains functionality to register a low level keyboard hook 9->48 12 cmd.exe 1 9->12         started        process5 signatures6 50 Submitted sample is a known malware sample 12->50 52 Obfuscated command line found 12->52 54 Uses ping.exe to sleep 12->54 56 Uses ping.exe to check the status of other devices and networks 12->56 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 60 Obfuscated command line found 15->60 62 Uses ping.exe to sleep 15->62 20 Invece.exe.com 15->20         started        22 PING.EXE 1 15->22         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 28 Invece.exe.com 27 20->28         started        34 127.0.0.1 unknown unknown 22->34 36 192.168.2.1 unknown unknown 22->36 32 C:\Users\user\AppData\...\Invece.exe.com, Targa 25->32 dropped file11 process12 dnsIp13 38 OIgLHlcstBsg.OIgLHlcstBsg 28->38 58 Tries to harvest and steal browser information (history, passwords, etc) 28->58 signatures14
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e8a09fbbc7eddbe0d27909b557a9e185a57eb0be431cb16fa363fd7ca5cd679/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 18:28:44 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2fat654p3o34djhscnvk6u6dbnfp2yl4qy4wfx2gy75pss42z4q._file
Verdict:
malicious
Similar samples:
02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763
CryptBot
02b2395502a744108c7c09bafafb58af53016603294bdb780d667bb91c484363
CryptBot
04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf
CryptBot
1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
CryptBot
530656ad87a4e5c0f07998323ebca34348af7c7a2e585196f2d0c73580832e36
CryptBot
957860a901820c6cd66f49700a18a4fc3243104f8147805d1bbec9ec651f009b
CryptBot
a2ed4456865129f69ed876a3262526d1193bc881708d46d86be1528f23c1b749
CryptBot
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
CryptBot
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
CryptBot
f9ea5610c7a0bb3fcf4380200e3056266e06819f0ae956ee96961211b1ef98a5
CryptBot
+ 209 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210623-t3m9rhe1gs/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
e9f421643253e6183236e39c58aff82618e09a00b76ca3e0143f161f403d4ba0
MD5 hash:
9db55ede31fee25d837623242189343b
SHA1 hash:
7386339946ec18c1d9ea592880b76b1c6272024b
Link:
https://www.unpac.me/results/167bbb8b-bfa2-426e-972f-15cce4616e7f/
SH256 hash:
8e8a09fbbc7eddbe0d27909b557a9e185a57eb0be431cb16fa363fd7ca5cd679
MD5 hash:
d743980983fcf12b1427f5ea550094da
SHA1 hash:
3abe8dee50310403570363420c384f9453cf85ba
Link:
https://www.unpac.me/results/167bbb8b-bfa2-426e-972f-15cce4616e7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e8a09fbbc7eddbe0d27909b557a9e185a57eb0be431cb16fa363fd7ca5cd679

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 8e8a09fbbc7eddbe0d27909b557a9e185a57eb0be431cb16fa363fd7ca5cd679

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1392885/
  
URLhaus
https://urlhaus.abuse.ch/url/1393123/
  
URLhaus
https://urlhaus.abuse.ch/url/1393296/
  
URLhaus
https://urlhaus.abuse.ch/url/1393486/

Comments