MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 949b755ce7ba4afeffe8c261141b77bca5f443761aa062936141ed94b737e848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 949b755ce7ba4afeffe8c261141b77bca5f443761aa062936141ed94b737e848
SHA3-384 hash: 2fad52c287d3e19e16c65e14bad763363e26bfd0f2fa4ed6d7c0bec8070eaab8b6ee0d56f8f88ffd32bb452dec726b1d
SHA1 hash: 6b632e17a4ab106806d378f598f0904906eec1e4
MD5 hash: 856bf12bf3ecb5b5a388a0a58f99be9b
humanhash: south-kentucky-dakota-lima
File name:856bf12bf3ecb5b5a388a0a58f99be9b
Download: download sample
Signature CryptBot
Create hunting rule
File size:671'744 bytes
First seen:2021-07-14 15:11:21 UTC
Last seen:2021-07-14 17:07:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cf8113cdf9d71dde8baf28192dd4ab3f (6 x Smoke Loader, 2 x ArkeiStealer, 1 x CryptBot)
ssdeep 12288:KGvf6wE9pHG+IN+2Rx/IngmQK+GKFGXgE1ekGpFm9:PfhEjGNX3/a3B2SgESM
Threatray 300 similar samples on MalwareBazaar
TLSH T16DE412223262C173D5FB19315832FB741EBB79322634858F272CE79E5E312D21AA574B
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
856bf12bf3ecb5b5a388a0a58f99be9b
Verdict:
Malicious activity
Analysis date:
2021-07-14 16:33:39 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/67e5cd14-fa15-4243-9612-bdbccb401a7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171719/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.18954.2782.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Predator The Thief
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04ee6ef8-239c-4163-8809-f2c64818ec85
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816501
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448912 Sample: qwxiR5lxRE Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 11 other signatures 2->92 12 qwxiR5lxRE.exe 22 2->12         started        17 SmartClock.exe 2->17         started        19 SmartClock.exe 2->19         started        process3 dnsIp4 82 wymbhy32.top 68.183.192.109, 49749, 80 DIGITALOCEAN-ASNUS United States 12->82 84 hofxuo04.top 47.243.129.23, 49740, 49741, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->84 68 C:\Users\user\AppData\...\ZaLZEjeHpVN.exe, PE32 12->68 dropped 70 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->70 dropped 112 Detected unpacking (changes PE section rights) 12->112 114 Detected unpacking (overwrites its own PE header) 12->114 116 Tries to harvest and steal ftp login credentials 12->116 118 2 other signatures 12->118 21 ZaLZEjeHpVN.exe 25 12->21         started        file5 signatures6 process7 file8 58 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 21->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 21->60 dropped 62 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 21->62 dropped 64 3 other files (none is malicious) 21->64 dropped 24 vpn.exe 7 21->24         started        26 4.exe 4 21->26         started        process9 file10 29 cmd.exe 1 24->29         started        66 C:\Users\user\AppData\...\SmartClock.exe, PE32 26->66 dropped 32 SmartClock.exe 26->32         started        process11 signatures12 104 Submitted sample is a known malware sample 29->104 106 Obfuscated command line found 29->106 108 Uses ping.exe to sleep 29->108 110 Uses ping.exe to check the status of other devices and networks 29->110 34 cmd.exe 3 29->34         started        37 conhost.exe 29->37         started        process13 signatures14 94 Obfuscated command line found 34->94 96 Uses ping.exe to sleep 34->96 39 Ricordarti.exe.com 34->39         started        42 PING.EXE 1 34->42         started        45 findstr.exe 1 34->45         started        process15 dnsIp16 102 May check the online IP address of the machine 39->102 48 Ricordarti.exe.com 3 17 39->48         started        80 127.0.0.1 unknown unknown 42->80 72 C:\Users\user\AppData\...\Ricordarti.exe.com, Targa 45->72 dropped file17 signatures18 process19 dnsIp20 74 ip-api.com 208.95.112.1, 49769, 80 TUT-ASUS United States 48->74 76 LMwWfCcmRWAmfFCNIZdgWmiWmFe.LMwWfCcmRWAmfFCNIZdgWmiWmFe 48->76 56 C:\Users\user\AppData\...\gmrxlvmmti.vbs, ASCII 48->56 dropped 52 wscript.exe 12 48->52         started        file21 process22 dnsIp23 78 iplogger.org 88.99.66.31, 443, 49772 HETZNER-ASDE Germany 52->78 98 System process connects to network (likely due to code injection or exploit) 52->98 100 May check the online IP address of the machine 52->100 signatures24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/949b755ce7ba4afeffe8c261141b77bca5f443761aa062936141ed94b737e848/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 15:12:09 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
29e9301a2a4536910df563d965e6f7017786f229133c19b925216b0c056423b9
CryptBot
2afd735ca5d2ad8a8478c4832e4827b150e30d5f0b7c1dc174ce934017ee1d76
CryptBot
7304be70f4e18d91047e2ee07944ac60dd018f35cc4321634b160e0ca39c28d4
CryptBot
79b30159c6eaabe98bef0992b5c26e83249ed532c47da8ff24d3688eda8e8f79
CryptBot
8f15d3117f5187860694e0af3fab3f6cf30e522c273ac6209ba76ef0ff57a7b2
CryptBot
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
CryptBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
CryptBot
fe0921df62f37332cab9e56fbbfe050e204e196e55eb323657c1f0469a6ff27b
CryptBot
+ 290 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210714-kylez5326j/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
3b20d3ed8ed8753a3c266c23334d0e1c1417b5e81fc5288d5e58639a06c03cad
MD5 hash:
f919c7c51ec92adb73ddfc434109ff92
SHA1 hash:
9d696e529822e9d47a20adc035f0f509fc4002e1
Detections:
win_blacksoul_auto
Create hunting rule
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/5754deb0-8d83-4e1b-a119-ee7031b18629/
Parent samples :
949b755ce7ba4afeffe8c261141b77bca5f443761aa062936141ed94b737e848
af8df57ba3941ed8fa89543e4e98f2da5dfe7a0efaaa72aaca4c54ea9f5ccc58
SH256 hash:
949b755ce7ba4afeffe8c261141b77bca5f443761aa062936141ed94b737e848
MD5 hash:
856bf12bf3ecb5b5a388a0a58f99be9b
SHA1 hash:
6b632e17a4ab106806d378f598f0904906eec1e4
Link:
https://www.unpac.me/results/5754deb0-8d83-4e1b-a119-ee7031b18629/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/949b755ce7ba4afeffe8c261141b77bca5f443761aa062936141ed94b737e848

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:win_blacksoul_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.blacksoul.
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 949b755ce7ba4afeffe8c261141b77bca5f443761aa062936141ed94b737e848

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1453979/
Cape
Cape
https://www.capesandbox.com/analysis/171719/

Comments


Avatar
zbet commented on 2021-07-14 15:11:22 UTC

url : hxxp://hofeyz03.top/downfiles/file.exe