MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b
SHA3-384 hash: a086290c7c5600e1a4426887f3869dbf567438d13564aa7297b997839d4cea1ae98ae91a2a067fceda93724440d0ff19
SHA1 hash: 28ed02ad94045eff5d8d4e66494129b6724dd68f
MD5 hash: 62321000418c3b540e76298b71794e94
humanhash: florida-double-arkansas-robert
File name:SecuriteInfo.com.W32.AIDetect.malware1.7132.16083
Download: download sample
Signature CryptBot
Create hunting rule
File size:718'336 bytes
First seen:2021-03-22 11:42:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f8dcbdba446996da4b38f8b30ebff0ad (1 x CryptBot, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 12288:QM3iAOXISzovtxiLxa3CgkKUToXCAlGrcTyQ2KTVzL6JYjJiMSg:QpAKISz+t4lay+yoyAUrcTy5ot+Wj8r
TLSH 0EE4F13A72E1C0B2E1A355714635C2B29E7B7876193AA48F7BC00B794E743DDD6A130E
Reporter SecuriteInfoCom
Tags:CryptBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen12.47248.964.26391
Verdict:
Malicious activity
Analysis date:
2021-03-22 06:47:57 UTC
Tags:
evasion loader trojan stealer vidar
Link:
https://app.any.run/tasks/a8f6567d-4d6f-4317-b3ea-a3df9c2db77e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125897/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.7132.16083.UNOFFICIAL
Create hunting rule

Win.Malware.Generic-9846132-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Delayed reading of the file
Reading critical registry keys
Creating a window
Sending a UDP request
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647691
Signature
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 372810 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 91 foFLdQgDGpIYYlT.foFLdQgDGpIYYlT 2->91 93 JuStzaVJxTdWqqF.JuStzaVJxTdWqqF 2->93 95 2 other IPs or domains 2->95 111 Malicious sample detected (through community Yara rule) 2->111 113 Antivirus detection for dropped file 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 11 other signatures 2->117 11 SecuriteInfo.com.W32.AIDetect.malware1.7132.exe 50 2->11         started        16 SmartClock.exe 2->16         started        18 SmartClock.exe 2->18         started        signatures3 process4 dnsIp5 101 mormsd01.top 193.38.55.158, 49725, 80 SERVERIUS-ASNL Russian Federation 11->101 103 akmes01.top 47.254.173.53, 49726, 49727, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 11->103 105 basfs12.top 8.209.92.87, 49724, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 11->105 87 C:\Users\user\AppData\Local\Temp\Skinks.exe, PE32 11->87 dropped 89 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 11->89 dropped 137 Detected unpacking (changes PE section rights) 11->137 139 Detected unpacking (overwrites its own PE header) 11->139 141 Tries to harvest and steal browser information (history, passwords, etc) 11->141 20 Skinks.exe 21 11->20         started        24 cmd.exe 1 11->24         started        file6 signatures7 process8 file9 71 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 20->71 dropped 73 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 20->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\5.exe, PE32+ 20->75 dropped 77 2 other files (1 malicious) 20->77 dropped 123 Machine Learning detection for dropped file 20->123 26 5.exe 3 181 20->26         started        31 6.exe 7 20->31         started        33 vpn.exe 7 20->33         started        35 4.exe 4 20->35         started        125 Submitted sample is a known malware sample 24->125 127 Obfuscated command line found 24->127 129 Uses ping.exe to sleep 24->129 131 Uses ping.exe to check the status of other devices and networks 24->131 37 conhost.exe 24->37         started        39 timeout.exe 1 24->39         started        signatures10 process11 dnsIp12 97 googlehosted.l.googleusercontent.com 172.217.23.33, 443, 49730 GOOGLEUS United States 26->97 99 doc-04-04-docs.googleusercontent.com 26->99 79 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 26->79 dropped 81 C:\Users\user\AppData\Local\...\Active.exe, PE32+ 26->81 dropped 83 C:\Users\user\AppData\...\AutoIt3_x64.exe, PE32+ 26->83 dropped 133 Query firmware table information (likely to detect VMs) 26->133 135 Sample is not signed and drops a device driver 26->135 41 cmd.exe 31->41         started        43 svchost.exe 31->43         started        45 cmd.exe 33->45         started        47 svchost.exe 33->47         started        85 C:\Users\user\AppData\...\SmartClock.exe, PE32 35->85 dropped 49 SmartClock.exe 35->49         started        file13 signatures14 process15 process16 51 cmd.exe 41->51         started        54 conhost.exe 41->54         started        56 cmd.exe 45->56         started        58 conhost.exe 45->58         started        signatures17 119 Obfuscated command line found 51->119 121 Uses ping.exe to sleep 51->121 60 PING.EXE 51->60         started        63 findstr.exe 51->63         started        65 Allora.exe.com 51->65         started        67 findstr.exe 56->67         started        69 Dimmi.exe.com 56->69         started        process18 dnsIp19 107 127.0.0.1 unknown unknown 60->107 109 192.168.2.1 unknown unknown 60->109
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b/
Threat name:
Win32.Trojan.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 09:07:47 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:xmrig discovery evasion miner spyware stealer upx
Link:
https://tria.ge/reports/210322-19cprae9ta/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Sets file to hidden
UPX packed file
XMRig Miner Payload
CryptBot
xmrig
Unpacked files
SH256 hash:
69cd9ef1104aefbae4f68bb7915c928a061bfa55b97fe0ce4845ce3c9fe49775
MD5 hash:
162b035cfcd67632a60689aea7dfe19a
SHA1 hash:
4cfab454869214944b4f7c62dfbf879e96dc9fb2
Link:
https://www.unpac.me/results/922f717e-4b56-47b1-bcf1-ca94e1dd2661/
SH256 hash:
9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b
MD5 hash:
62321000418c3b540e76298b71794e94
SHA1 hash:
28ed02ad94045eff5d8d4e66494129b6724dd68f
Link:
https://www.unpac.me/results/922f717e-4b56-47b1-bcf1-ca94e1dd2661/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1083190/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/125897/

Comments