MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
SHA3-384 hash: 67a80b70796fe8afc239c32503bee7645ae0209c117b5493d75fcd79ec2c6317047080c00e55fc88bdd98be31157491b
SHA1 hash: 6d885df3ae13993c89c8d815fafed52156030629
MD5 hash: fe4184263a5ef4e13732dc3da63aca9e
humanhash: carpet-bluebird-twenty-idaho
File name:fe4184263a5ef4e13732dc3da63aca9e.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'370'982 bytes
First seen:2021-03-25 18:29:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:k21Bqm67OCMwerL1G5Qy+fSNe4kA81GfCY1D4OiHs1Fex73DND:kOBR6lMNL1QUJ4HqGa+kDND
Threatray 205 similar samples on MalwareBazaar
TLSH 23B533A5DB57C17BD48B1C3E5EF08096CDB4FC5E6834C3266345BA0E71763A28825FA2
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 18:51:19 UTC
Tags:
autoit evasion opendir
Link:
https://app.any.run/tasks/db9fef57-d7fd-4632-becf-2733ce6dea88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d5b42a4-9774-49c1-8bea-23d81e40e46a
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/654371
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Svchost Process
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376121 Sample: hLOTlwUNup.exe Startdate: 25/03/2021 Architecture: WINDOWS Score: 100 99 Multi AV Scanner detection for dropped file 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 Detected unpacking (changes PE section rights) 2->103 105 7 other signatures 2->105 11 hLOTlwUNup.exe 21 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 77 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 11->79 dropped 81 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->81 dropped 83 2 other files (1 malicious) 11->83 dropped 18 6.exe 7 11->18         started        20 vpn.exe 7 11->20         started        22 5.exe 15 11->22         started        25 4.exe 4 11->25         started        process5 file6 28 cmd.exe 1 18->28         started        31 svchost.exe 18->31         started        33 cmd.exe 1 20->33         started        35 svchost.exe 20->35         started        107 Query firmware table information (likely to detect VMs) 22->107 37 WerFault.exe 20 9 22->37         started        75 C:\Users\user\AppData\...\SmartClock.exe, PE32 25->75 dropped 40 SmartClock.exe 25->40         started        signatures7 process8 dnsIp9 119 Submitted sample is a known malware sample 28->119 121 Obfuscated command line found 28->121 123 Uses ping.exe to sleep 28->123 125 Uses ping.exe to check the status of other devices and networks 28->125 42 cmd.exe 3 28->42         started        45 conhost.exe 28->45         started        47 cmd.exe 3 33->47         started        49 conhost.exe 33->49         started        95 192.168.2.1 unknown unknown 37->95 signatures10 process11 signatures12 51 PING.EXE 42->51         started        54 Nascosta.exe.com 42->54         started        56 findstr.exe 42->56         started        113 Obfuscated command line found 47->113 115 Uses ping.exe to sleep 47->115 58 Parlato.exe.com 47->58         started        61 findstr.exe 47->61         started        64 PING.EXE 47->64         started        process13 dnsIp14 93 127.0.0.1 unknown unknown 51->93 66 Nascosta.exe.com 54->66         started        117 May check the online IP address of the machine 58->117 69 Parlato.exe.com 58->69         started        85 C:\Users\user\AppData\...\Parlato.exe.com, Targa 61->85 dropped file15 signatures16 process17 dnsIp18 87 oeBaWlhJhVQq.oeBaWlhJhVQq 66->87 89 ip-api.com 208.95.112.1, 49717, 80 TUT-ASUS United States 69->89 91 SzHjeLkdmedyhHqKaboL.SzHjeLkdmedyhHqKaboL 69->91 71 wscript.exe 69->71         started        process19 dnsIp20 97 iplogger.org 88.99.66.31, 443, 49718 HETZNER-ASDE Germany 71->97 109 System process connects to network (likely due to code injection or exploit) 71->109 111 May check the online IP address of the machine 71->111 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 16:34:23 UTC
AV detection:
18 of 48 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssh3hh4nobmlakpkdm3jg7cujtfo7k4d2a76nz7wbeujyh2g3oua._file
Verdict:
malicious
Similar samples:
08c4b529de76e13d9b005b84f70d3338685a7bad66b30816d839e7d4bffd14f7
CryptBot
1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
CryptBot
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
CryptBot
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe
CryptBot
7b55f92633f9e8b7aad9234dd19148549c4b068f8199bb2ea4cfa6ef3175e569
CryptBot
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
CryptBot
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
CryptBot
b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
CryptBot
b9fe450826cf7e036b06af03cee2288464efff6bc72c4ada9299c38128ee5f77
CryptBot
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
CryptBot
+ 195 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210325-42t8mh3rks/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
a56d515897f4d9d336602a1809949629f0e79e1fa0d55154b3b1121fb6138085
MD5 hash:
b3d3f51c4249eeaa7d5245ea4f8c7460
SHA1 hash:
2a3627e3aeeab195eec76c2a65394d178c954f9f
Link:
https://www.unpac.me/results/8d971728-5f2f-43db-a63c-0180bf31d22e/
SH256 hash:
07064ebd41f1c0d4f30a66b77deb5070697acbb81be8399888bd9be9ab477f14
MD5 hash:
cc15ade9f71b15e73c6ef7b57f607f68
SHA1 hash:
caf1db6fdb85fb3262a04b05933f32f767afe7cf
Link:
https://www.unpac.me/results/8d971728-5f2f-43db-a63c-0180bf31d22e/
SH256 hash:
91195efccd04e3206157121f5e34883887ebe19d9f3645bf027ce1ce81cddf7e
MD5 hash:
62780b05c296cef848823902f49900ba
SHA1 hash:
d2d0edb0ed2dc28ba348587e7e1c802372e920c5
Link:
https://www.unpac.me/results/8d971728-5f2f-43db-a63c-0180bf31d22e/
SH256 hash:
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
MD5 hash:
fe4184263a5ef4e13732dc3da63aca9e
SHA1 hash:
6d885df3ae13993c89c8d815fafed52156030629
Link:
https://www.unpac.me/results/8d971728-5f2f-43db-a63c-0180bf31d22e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1090674/
  
Delivery method
Distributed via web download

Comments