MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3
SHA3-384 hash: 4a6a4156043253e4449172244836f864d11fb9c24db940c5a09584b82398e62bf41cc43d2d69cd513a44b57de5bbb17d
SHA1 hash: cefe5f106f801a209fa7f1cd0deb159d463d7460
MD5 hash: fa21e7c5ec86756cc0276d1426c3e240
humanhash: london-angel-yellow-bluebird
File name:fa21e7c5ec86756cc0276d1426c3e240
Download: download sample
Signature CryptBot
Create hunting rule
File size:342'528 bytes
First seen:2021-09-09 13:13:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f50084dfd1c6e5f44fa702362197889 (1 x CryptBot, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 6144:MwswblQHj2f5BkKC5u0u0Efn9yICbEMdHBU0x1tMgPAf9AfsU:3TQHKfzzC5u8ivkEMHlMgPAF
Threatray 5'165 similar samples on MalwareBazaar
TLSH T16C74BF04AAA0C035F5F726F44ABA9379A83E7EF16B2450CF52D52AEE56346D4DC3070B
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fa21e7c5ec86756cc0276d1426c3e240
Verdict:
Malicious activity
Analysis date:
2021-09-09 13:15:55 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/92fdc355-4331-4d4f-968b-abec80e6adb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186671/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.16496.5786.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Connection attempt to an infection source
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Searching for analyzing tools
Searching for the window
Launching a process
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff5f00cb-5d88-447f-9574-2052a5c87a20
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848112
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 480544 Sample: z2SUzJkpaW Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 63 Antivirus detection for URL or domain 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 7 other signatures 2->69 8 z2SUzJkpaW.exe 47 2->8         started        13 IntelRapid.exe 2->13         started        15 IntelRapid.exe 2->15         started        process3 dnsIp4 57 elosie05.top 5.188.88.47, 49771, 49772, 80 PINDC-ASRU Russian Federation 8->57 59 raskzx42.top 95.181.178.224, 49769, 80 NEOHOST-ASUA Russian Federation 8->59 61 morsfu04.top 5.101.44.203, 49770, 80 LLHOSTM247EU Russian Federation 8->61 51 C:\Users\user\AppData\Local\Temp\File.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 8->53 dropped 91 Detected unpacking (changes PE section rights) 8->91 93 Self deletion via cmd delete 8->93 95 Tries to harvest and steal browser information (history, passwords, etc) 8->95 17 File.exe 25 8->17         started        21 cmd.exe 1 8->21         started        97 Query firmware table information (likely to detect VMs) 13->97 99 Hides threads from debuggers 13->99 101 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->101 file5 signatures6 process7 file8 39 C:\Users\user\AppData\Local\...\sheltaf.exe, PE32+ 17->39 dropped 41 C:\Users\user\AppData\Local\...\gravicvp.exe, PE32 17->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 17->43 dropped 45 3 other files (none is malicious) 17->45 dropped 71 Multi AV Scanner detection for dropped file 17->71 23 gravicvp.exe 18 17->23         started        28 sheltaf.exe 4 17->28         started        30 conhost.exe 21->30         started        32 timeout.exe 1 21->32         started        signatures9 process10 dnsIp11 55 ip-api.com 208.95.112.1, 49773, 80 TUT-ASUS United States 23->55 47 C:\Users\user\AppData\Local\...\fitumbe.vbs, ASCII 23->47 dropped 79 Antivirus detection for dropped file 23->79 81 Multi AV Scanner detection for dropped file 23->81 83 Query firmware table information (likely to detect VMs) 23->83 89 3 other signatures 23->89 34 wscript.exe 23->34         started        49 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 28->49 dropped 85 Hides threads from debuggers 28->85 87 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->87 36 IntelRapid.exe 28->36         started        file12 signatures13 process14 signatures15 73 Query firmware table information (likely to detect VMs) 36->73 75 Hides threads from debuggers 36->75 77 Tries to detect sandboxes / dynamic malware analysis system (registry check) 36->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 13:14:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
CryptBot
34d14ab08b41d288019d4966b337e5ee13d07cdb652dabf51834bac44c0052f8
CryptBot
37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4
CryptBot
7c3b2df673868d8f99e2cea7d58bcf356bd59c1a49340e5a8a285e06a517fb1f
CryptBot
81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e
CryptBot
82986179159fb1244b89a23ab01b915fe1c24407712c156a087fe902572a4a8f
CryptBot
c1a8d0767c3eee51e264da05003007415326296636a74e143056e7e2fea7dc51
CryptBot
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
CryptBot
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
CryptBot
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
CryptBot
+ 5'155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210909-qgndgsbdbm/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
8a8fbe9818baae55a15b41d4417c79ba7088a36deaafc0b90c718638bb690895
MD5 hash:
7a0607b1c289e896131a536f724ac1cf
SHA1 hash:
2dc3ae312836fa0f04067007003924139ce154ee
Link:
https://www.unpac.me/results/fd3dd205-3e72-431a-9f53-358007c7f5d5/
SH256 hash:
9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3
MD5 hash:
fa21e7c5ec86756cc0276d1426c3e240
SHA1 hash:
cefe5f106f801a209fa7f1cd0deb159d463d7460
Link:
https://www.unpac.me/results/fd3dd205-3e72-431a-9f53-358007c7f5d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1605278/
Cape
Cape
https://www.capesandbox.com/analysis/186671/

Comments


Avatar
zbet commented on 2021-09-09 13:13:41 UTC

url : hxxp://elotom06.top/downfiles/file.exe