MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
SHA3-384 hash: 83c3d4d6e5dbd3973852789d793fcd6cb107430e6a96e622cfdf6e1760bed762fe29e1ef8d81ba09bb5a1de51731f3b1
SHA1 hash: 100f8f6dd11dd0fddf807953bc11169e3eaffc3e
MD5 hash: 7e6d9d8815e655de51a63d78f9687c43
humanhash: winner-shade-summer-uncle
File name:7e6d9d8815e655de51a63d78f9687c43.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:4'918'697 bytes
First seen:2021-03-25 18:22:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:kwBR6lMNL1QUJ4HqGa+kPOEPaZmW5TuUEUtg/aHCUboiRlItpAPQkT:5UMNL1JJ4Kp+kPrPasWVuXBuo6lIDAPH
Threatray 81 similar samples on MalwareBazaar
TLSH 9F3633ED1329C5EBCCE5487B5FB08CC7CD70AD16A834DA7163417A4AF17DAA018B9E12
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 18:27:17 UTC
Tags:
trojan evasion opendir
Link:
https://app.any.run/tasks/408ddf8f-a9ee-4c3a-8c86-5dfa87d08697

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1eb74d38-12c7-428b-932c-50b0fe705e6e
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/654359
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Svchost Process
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376114 Sample: vZzN8hoqnD.exe Startdate: 25/03/2021 Architecture: WINDOWS Score: 100 95 Multi AV Scanner detection for dropped file 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 Detected unpacking (changes PE section rights) 2->99 101 8 other signatures 2->101 11 vZzN8hoqnD.exe 21 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 75 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->79 dropped 81 2 other files (1 malicious) 11->81 dropped 18 6.exe 7 11->18         started        20 vpn.exe 7 11->20         started        22 4.exe 4 11->22         started        25 5.exe 11->25         started        process5 file6 27 cmd.exe 1 18->27         started        30 svchost.exe 18->30         started        32 cmd.exe 1 20->32         started        34 svchost.exe 20->34         started        71 C:\Users\user\AppData\...\SmartClock.exe, PE32 22->71 dropped 36 SmartClock.exe 22->36         started        process7 signatures8 113 Submitted sample is a known malware sample 27->113 115 Obfuscated command line found 27->115 117 Uses ping.exe to sleep 27->117 119 Uses ping.exe to check the status of other devices and networks 27->119 38 cmd.exe 3 27->38         started        41 conhost.exe 27->41         started        43 cmd.exe 3 32->43         started        45 conhost.exe 32->45         started        process9 signatures10 47 PING.EXE 38->47         started        50 Nascosta.exe.com 38->50         started        52 findstr.exe 1 38->52         started        107 Obfuscated command line found 43->107 109 Uses ping.exe to sleep 43->109 54 Parlato.exe.com 43->54         started        57 findstr.exe 43->57         started        60 PING.EXE 43->60         started        process11 dnsIp12 91 127.0.0.1 unknown unknown 47->91 62 Nascosta.exe.com 50->62         started        111 May check the online IP address of the machine 54->111 65 Parlato.exe.com 54->65         started        73 C:\Users\user\AppData\...\Parlato.exe.com, Targa 57->73 dropped 93 192.168.2.1 unknown unknown 60->93 file13 signatures14 process15 dnsIp16 85 oeBaWlhJhVQq.oeBaWlhJhVQq 62->85 87 ip-api.com 208.95.112.1, 49717, 80 TUT-ASUS United States 65->87 89 SzHjeLkdmedyhHqKaboL.SzHjeLkdmedyhHqKaboL 65->89 67 wscript.exe 65->67         started        process17 dnsIp18 83 iplogger.org 88.99.66.31, 443, 49720 HETZNER-ASDE Germany 67->83 103 System process connects to network (likely due to code injection or exploit) 67->103 105 May check the online IP address of the machine 67->105 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 18:23:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tahcp4gphtw2tiq5qzixmwto53nvco32c2pddjaqrstm4ie54nhq._file
Verdict:
malicious
Similar samples:
08c4b529de76e13d9b005b84f70d3338685a7bad66b30816d839e7d4bffd14f7
CryptBot
1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
CryptBot
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
CryptBot
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe
CryptBot
7b55f92633f9e8b7aad9234dd19148549c4b068f8199bb2ea4cfa6ef3175e569
CryptBot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
CryptBot
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
CryptBot
b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
CryptBot
b9fe450826cf7e036b06af03cee2288464efff6bc72c4ada9299c38128ee5f77
CryptBot
bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
CryptBot
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210325-l4cn9fekbx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
a56d515897f4d9d336602a1809949629f0e79e1fa0d55154b3b1121fb6138085
MD5 hash:
b3d3f51c4249eeaa7d5245ea4f8c7460
SHA1 hash:
2a3627e3aeeab195eec76c2a65394d178c954f9f
Link:
https://www.unpac.me/results/f55d3404-11d5-4bb0-9179-0a34f705f2c5/
SH256 hash:
9db32fa290d7a1f626b24bbf6efbf6030e3ae5d52e731d17d2932ba9e01b2095
MD5 hash:
c0fe9a1aad0ef281f81acc6c4e5cd981
SHA1 hash:
8fe3f1805bb435f421f8b909b7670e50ce2fb346
Link:
https://www.unpac.me/results/f55d3404-11d5-4bb0-9179-0a34f705f2c5/
SH256 hash:
e0dd4409148e9c0d64668845b2969d9bb699a51faf8bb23e8db9c46c29aaae75
MD5 hash:
bd3e514d61a83366e0980c9942287cfa
SHA1 hash:
c83eeb987d5ce47faecb3e9b6e60c0de17981590
Link:
https://www.unpac.me/results/f55d3404-11d5-4bb0-9179-0a34f705f2c5/
SH256 hash:
9967475a9f457fed2b926fe62a83ad78d1099343a10e30282fe3cf2167fa83ab
MD5 hash:
e4111a11e24c048b63aea7c965366802
SHA1 hash:
7199110945b0114416366575fcf58598c7ff1d43
Link:
https://www.unpac.me/results/f55d3404-11d5-4bb0-9179-0a34f705f2c5/
SH256 hash:
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
MD5 hash:
7e6d9d8815e655de51a63d78f9687c43
SHA1 hash:
100f8f6dd11dd0fddf807953bc11169e3eaffc3e
Link:
https://www.unpac.me/results/f55d3404-11d5-4bb0-9179-0a34f705f2c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1090674/
  
Delivery method
Distributed via web download

Comments