MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c409df92867a210bba9c3de29296c54222a9342e7e992392f75456e4a86e7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c409df92867a210bba9c3de29296c54222a9342e7e992392f75456e4a86e7a5
SHA3-384 hash: 306d73f9298962768142bf47617d8024b2960d1eab40fe8efb3b460789f834a198949c5b40b42133e61689884a2f8643
SHA1 hash: 49a7a0a73f7b5af40af30c8107833035567e2a76
MD5 hash: ca07dd5bfa53eea811b2e4608792be0c
humanhash: finch-earth-london-zulu
File name:ca07dd5bfa53eea811b2e4608792be0c.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:683'008 bytes
First seen:2021-08-26 12:42:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c8d9df578fc452582af8996e539153c (17 x RaccoonStealer, 3 x Glupteba, 1 x Smoke Loader)
ssdeep 12288:o1sHawM5GW8l91jP6xQMf4hbcpWfGE1VKuK6xtKXEbkRXgN3f0zkqlTxK3V1ec:oOawMkW8lHjy6Mf45cpMKu/aXEbkpY0+
Threatray 476 similar samples on MalwareBazaar
TLSH T1D3E4121076B2D43AF5EA21B44A78D6702C67BDE36A58828B3B04477E3F251C0A71E7D7
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca07dd5bfa53eea811b2e4608792be0c.exe
Verdict:
Malicious activity
Analysis date:
2021-08-26 12:45:17 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/a1cecf0e-dfa8-46bd-b193-004f381cbbe6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182643/
Detection(s):
Win.Packed.Generic-9888553-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Sending a UDP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a window
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df9223c6-3a69-41ea-bc88-78970514fe39
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/839880
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c409df92867a210bba9c3de29296c54222a9342e7e992392f75456e4a86e7a5/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 06:01:40 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=traj36jim6rbbo5jyppcsklmkqrcve2c47uzeojpovcw4sug46sq._file
Verdict:
malicious
Similar samples:
0bdb7a98c650426ff70b666a8a1f28b421a6135e729a70baf87a5c126fbd788a
CryptBot
12f0a80b6374b38a3997a7ef4528f26ccbca664b26e48533e7d1f36c78da76f4
CryptBot
26e294b557033c04b7a9039b6e2ef1ec35f8c3ec1a06be3d7b73ddd3ff10395c
CryptBot
2e00fe5b5239656d02676e4e95e200ef21c1d1986e07d4c8d64d16ec1d6e821f
CryptBot
4b6f69b3ade95902351f28e2862234569b3ddd1166b1e936441b530524a32c33
CryptBot
4ca258662fae313fda4a04e18f233da990e7fbac5139713c583db16625b401e0
CryptBot
65cb803d8339bc32863bd557a882cf2016ad7945b18f344aeb94860ca8f6b235
CryptBot
7deefc102955d15af316521068fd9df9474507a3f0d4ef0c8cfbae498dd8fdef
CryptBot
c76d25be072f587dec61a182dbb0c485e1e8c66bccd1a613bb548c64172fa3cb
CryptBot
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
CryptBot
+ 466 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210826-7mceg2mqkj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Checks installed software on the system
Reads user/profile data of web browsers
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
a96c148d53a8c30a573dafab11a66e8606e3dda1276a4742cc474792fabb08d6
MD5 hash:
5bce23f0eb85d3bc2ca2d2f6a0bca595
SHA1 hash:
bac181f39258b5e20d332cd527bda67bf446c847
Link:
https://www.unpac.me/results/7ab59e12-c938-4f84-912d-d4c0af58a400/
SH256 hash:
9c409df92867a210bba9c3de29296c54222a9342e7e992392f75456e4a86e7a5
MD5 hash:
ca07dd5bfa53eea811b2e4608792be0c
SHA1 hash:
49a7a0a73f7b5af40af30c8107833035567e2a76
Link:
https://www.unpac.me/results/7ab59e12-c938-4f84-912d-d4c0af58a400/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c409df92867a210bba9c3de29296c54222a9342e7e992392f75456e4a86e7a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182643/

Comments