MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e1d4eeff067d03371c7464e2fe9879deed0633968fc745ec88458ebb198f3f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e1d4eeff067d03371c7464e2fe9879deed0633968fc745ec88458ebb198f3f0
SHA3-384 hash: b3d5daef62cb90856563fafe3e2b6a03790db69a2b380dfde6e4e31fafb42588651068319b697686123082dba31f21f1
SHA1 hash: 050b91b56dc79d1b7fc3d48e68b997b66e2eba28
MD5 hash: e74e8f9adb0df482c191aa372d520587
humanhash: green-illinois-ten-stream
File name:e74e8f9adb0df482c191aa372d520587.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:400'384 bytes
First seen:2021-09-10 14:27:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a07e2478ced6ea4bff168cbb215d0722 (4 x ArkeiStealer, 3 x Stop, 1 x CryptBot)
ssdeep 6144:iV+ikfIr0kBURxKr4I9CPM2RhgNhuBLGey40LzABHvsA1:dnfIr0kQx6TglquBCey40/ARvs
Threatray 52 similar samples on MalwareBazaar
TLSH T19D84BF20B7A0C035F5F716F955BAA3B8A83DBDB16B3090CB62D126EE56346E49C30747
dhash icon 60e8e8e8aa66a499 (24 x RaccoonStealer, 14 x RedLineStealer, 7 x Smoke Loader)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e74e8f9adb0df482c191aa372d520587.exe
Verdict:
Malicious activity
Analysis date:
2021-09-10 14:34:27 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/a19af536-98f1-43c5-921b-8b149519a3d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186920/
Detection(s):
Win.Packed.Generic-9891871-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c47c46a6-54df-4b3d-8915-3344815693df
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/848847
Signature
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e1d4eeff067d03371c7464e2fe9879deed0633968fc745ec88458ebb198f3f0/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 02:03:00 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tyou537qm7idg4ohizhc72mhtxxnayzznd6hixwiqrmoxmmy6pya._file
Verdict:
malicious
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
CryptBot
225d6cfad4d501404d8da5377a855792b43f34c955965ff613e3fe87ea0b9668
CryptBot
24d74834868ad2cd944eb3f5a863383e851bee9231c870258dd5ba4bddf58e83
CryptBot
5345793ca6c08d8fbc737e5f3833a2f3f8cf2ece34fe09b125f82a103eea01cf
CryptBot
9017bf55c92b9f08174c0f52bdb90099a8122cf1052ea1f0f2b2781c574749a4
CryptBot
9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3
CryptBot
bf533a96d61a84c9ad9e3087059b8d37088f135d0a30006a106deaaa34d8550a
CryptBot
cd6a31d0553dcdd4cb5b5223f2f54315f3703123e1d83a2d5a1c36735e51f4db
CryptBot
e4a17e7fabd31dca0c8ffa32fdb6ffbe1d4a696e2a6636186787b8259b95eb54
CryptBot
e91557046e000b4f2947659394d496971e507002f721bdc65a03b9637900bbe9
CryptBot
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210910-rs1zdsaca7/
Behaviour
Checks processor information in registry
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
8a8fbe9818baae55a15b41d4417c79ba7088a36deaafc0b90c718638bb690895
MD5 hash:
7a0607b1c289e896131a536f724ac1cf
SHA1 hash:
2dc3ae312836fa0f04067007003924139ce154ee
Link:
https://www.unpac.me/results/8ad3fc46-043d-422f-ad44-92e6755682a3/
SH256 hash:
9e1d4eeff067d03371c7464e2fe9879deed0633968fc745ec88458ebb198f3f0
MD5 hash:
e74e8f9adb0df482c191aa372d520587
SHA1 hash:
050b91b56dc79d1b7fc3d48e68b997b66e2eba28
Link:
https://www.unpac.me/results/8ad3fc46-043d-422f-ad44-92e6755682a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e1d4eeff067d03371c7464e2fe9879deed0633968fc745ec88458ebb198f3f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 9e1d4eeff067d03371c7464e2fe9879deed0633968fc745ec88458ebb198f3f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1605278/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186920/

Comments