MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95989d92a6f3b866338f30ad894fcd576761d869e2c01e80f903e498e820f130. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95989d92a6f3b866338f30ad894fcd576761d869e2c01e80f903e498e820f130
SHA3-384 hash: b6398e6c85fbc2ba524056d6a0120a12cf1f76ac4e3c0b3b9bb422690344ad3dd8b5b15e131df2b55f7e6f5333b71600
SHA1 hash: 45185723ff035956f84e1868edc6bb1a2e308e72
MD5 hash: fb5810167110af7c3a2138037a5628a2
humanhash: michigan-louisiana-asparagus-mobile
File name:fb5810167110af7c3a2138037a5628a2.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'213'399 bytes
First seen:2021-03-31 12:52:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:P1muQ4i/fcRrjNLhcrr3V94WczS2I5+Bp3vOygCLaRY0cAumH:9mmi/ferpLC33V9bczdp3NgmaTcArH
Threatray 96 similar samples on MalwareBazaar
TLSH A4A533498AF24396F4862FF832BC5381C7E891041E7B5AD777923C5F393D682E15872A
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129281/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Sending a UDP request
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Launching the process to create tasks for the scheduler
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660372
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379129 Sample: 1Nqs1iTfMz.exe Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Detected unpacking (changes PE section rights) 2->101 103 7 other signatures 2->103 11 1Nqs1iTfMz.exe 20 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 75 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->79 dropped 81 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->81 dropped 18 6.exe 7 11->18         started        20 vpn.exe 7 11->20         started        22 4.exe 4 11->22         started        process5 file6 25 cmd.exe 1 18->25         started        28 at.exe 1 18->28         started        30 cmd.exe 1 20->30         started        32 at.exe 1 20->32         started        73 C:\Users\user\AppData\...\SmartClock.exe, PE32 22->73 dropped 34 SmartClock.exe 22->34         started        process7 signatures8 115 Submitted sample is a known malware sample 25->115 117 Obfuscated command line found 25->117 119 Uses ping.exe to sleep 25->119 121 Uses ping.exe to check the status of other devices and networks 25->121 36 cmd.exe 3 25->36         started        39 conhost.exe 25->39         started        41 conhost.exe 28->41         started        43 cmd.exe 3 30->43         started        45 conhost.exe 30->45         started        47 conhost.exe 32->47         started        process9 signatures10 49 PING.EXE 36->49         started        52 Impedisce.exe.com 36->52         started        54 findstr.exe 1 36->54         started        105 Obfuscated command line found 43->105 107 Uses ping.exe to sleep 43->107 56 Rispetto.exe.com 43->56         started        59 findstr.exe 1 43->59         started        62 PING.EXE 43->62         started        process11 dnsIp12 91 127.0.0.1 unknown unknown 49->91 64 Impedisce.exe.com 52->64         started        113 May check the online IP address of the machine 56->113 67 Rispetto.exe.com 56->67         started        83 C:\Users\user\AppData\...\Rispetto.exe.com, Targa 59->83 dropped 93 192.168.2.1 unknown unknown 62->93 file13 signatures14 process15 dnsIp16 85 GtpVdzFBksQHFIwPnhXncaEBrLqR.GtpVdzFBksQHFIwPnhXncaEBrLqR 64->85 87 ip-api.com 208.95.112.1, 49710, 80 TUT-ASUS United States 67->87 89 DgdEtAbKcKJgMrotLZapjsjp.DgdEtAbKcKJgMrotLZapjsjp 67->89 69 wscript.exe 67->69         started        process17 dnsIp18 95 iplogger.org 88.99.66.31, 443, 49713 HETZNER-ASDE Germany 69->95 109 System process connects to network (likely due to code injection or exploit) 69->109 111 May check the online IP address of the machine 69->111 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95989d92a6f3b866338f30ad894fcd576761d869e2c01e80f903e498e820f130/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 06:44:03 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=swmj3evg6o4gmm4pgcwyst6nk5twdwdj4lab5ahzapsjr2ba6eya._file
Verdict:
malicious
Similar samples:
10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a
CryptBot
39a27d15f3d6175331a974825a440d7475187bae0c133a48a1a5155b49a82537
CryptBot
76386b4c6c46b36b26d9ce00df7982d461bcd1a7586dde62cd831349d0aa3a4b
CryptBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
CryptBot
884837b998040b03adc5dead61073ad9314ef82754ae0cb415e685297f25a776
CryptBot
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
CryptBot
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
CryptBot
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
CryptBot
+ 86 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210331-vg8792kwn2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
a56d515897f4d9d336602a1809949629f0e79e1fa0d55154b3b1121fb6138085
MD5 hash:
b3d3f51c4249eeaa7d5245ea4f8c7460
SHA1 hash:
2a3627e3aeeab195eec76c2a65394d178c954f9f
Link:
https://www.unpac.me/results/94bb0e47-8e81-48dc-9f07-aec5a1656dc9/
SH256 hash:
1a89dd298bbfed8af0843af17b076f96562e669d5123a7cc4a912c686c592600
MD5 hash:
3c82d1d87d36a2ca6ecb96540f299f41
SHA1 hash:
fedea0584dab47f60818108f13ea862692661dc2
Link:
https://www.unpac.me/results/94bb0e47-8e81-48dc-9f07-aec5a1656dc9/
SH256 hash:
365be608836b09307a0aac4cd6cc37f0e91dc724935f4cd52ba17f3aac008bdd
MD5 hash:
60897c5338d84feb40344438569c78dd
SHA1 hash:
9ad8a23c82830da99a5692ac75008490508f6ad7
Link:
https://www.unpac.me/results/94bb0e47-8e81-48dc-9f07-aec5a1656dc9/
SH256 hash:
95989d92a6f3b866338f30ad894fcd576761d869e2c01e80f903e498e820f130
MD5 hash:
fb5810167110af7c3a2138037a5628a2
SHA1 hash:
45185723ff035956f84e1868edc6bb1a2e308e72
Link:
https://www.unpac.me/results/94bb0e47-8e81-48dc-9f07-aec5a1656dc9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Swisyn
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95989d92a6f3b866338f30ad894fcd576761d869e2c01e80f903e498e820f130

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 95989d92a6f3b866338f30ad894fcd576761d869e2c01e80f903e498e820f130

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/129281/
  
URLhaus
https://urlhaus.abuse.ch/url/1099949/
  
Delivery method
Distributed via web download

Comments