MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f90e6711618a1eab9147f90bdedd606fd975b785915ae37e50e7d2538682579. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f90e6711618a1eab9147f90bdedd606fd975b785915ae37e50e7d2538682579
SHA3-384 hash: e4756a15d11f739cb3417c700f6be4918e9c53b35ce4073959835434ae5bf8a397dc7359eede3bc6e6258255ce3107d7
SHA1 hash: 505adda812658863544bea25d78bd99ebbebef7e
MD5 hash: 24e0494e2312d51c94b3c79b6b6624a3
humanhash: texas-seven-nineteen-salami
File name:24E0494E2312D51C94B3C79B6B6624A3.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'783'670 bytes
First seen:2021-06-08 07:10:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e04eb610508ddb951732064297e50b65 (6 x CryptBot)
ssdeep 49152:Pfe1cb3IkfqfL1wSMt1/9zBQMO6QCY6xsA3vLk4:Pfe1kIkfEL1wSMDZBQM53xTv44
Threatray 170 similar samples on MalwareBazaar
TLSH 38853382B6D1C4B6E0F156B4C9D86BAE2BFEFC360B1405C7978076472D947E7A338246
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://morqli01.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morqli01.top/index.php https://threatfox.abuse.ch/ioc/68146/

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24E0494E2312D51C94B3C79B6B6624A3.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-08 07:41:55 UTC
Tags:
autoit stealer
Link:
https://app.any.run/tasks/80751f80-3c74-4b16-84f5-440f19cf1f2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165232/
Detection(s):
Win.Malware.Generic-9865508-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

PUA.Win.File.Zegost-9629018-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/798552
Signature
Contains functionality to register a low level keyboard hook
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430954 Sample: YYrZ7ZSspW.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 64 34 Multi AV Scanner detection for submitted file 2->34 9 YYrZ7ZSspW.exe 7 2->9         started        process3 signatures4 36 Contains functionality to register a low level keyboard hook 9->36 12 cmd.exe 1 9->12         started        process5 signatures6 38 Submitted sample is a known malware sample 12->38 40 Obfuscated command line found 12->40 42 Uses ping.exe to sleep 12->42 44 Uses ping.exe to check the status of other devices and networks 12->44 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 46 Obfuscated command line found 15->46 48 Uses ping.exe to sleep 15->48 20 PING.EXE 1 15->20         started        23 Sue.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 27 Sue.exe.com 23->27         started        process11 dnsIp12 32 idKzCqtslhADhulgolkKJIJWVSe.idKzCqtslhADhulgolkKJIJWVSe 27->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f90e6711618a1eab9147f90bdedd606fd975b785915ae37e50e7d2538682579/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 18:35:02 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6iom4iwdcq6voiup6il33owa36zow3ylek24n7fbz6skodiev4q._file
Verdict:
malicious
Similar samples:
04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf
CryptBot
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
CryptBot
1298b62fc3c9668e95a2d8af5f3c227afa87083c3e614d48d01d01509316c3ec
CryptBot
1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
CryptBot
41f2e8b68fe406f818f0ab48067d967cc0a3430a9ddb97a191b3fca163b756ab
CryptBot
6f6a28c56adaaf83617deac4c89e060074b14697872ffcbce53c72cd5cf5a3b5
CryptBot
957860a901820c6cd66f49700a18a4fc3243104f8147805d1bbec9ec651f009b
CryptBot
9ac798196b54bcc62cf880e28321e32b2b59cdab375267027f5e812c139c1892
CryptBot
c3c916d14f61357a5e5a61e2efe0f061dc2b8b2cc4b113155f0048a752cdc85d
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
+ 160 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210608-yaghz59n4x/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
bfaa6cac062a1b8637f5b590d7b1fc90aef96ce7810481273d5c80c919070d02
MD5 hash:
7c95bed79547429740e134ef0b87be6c
SHA1 hash:
a71420020f8f90cdc5102aea4e20a29ca42b1a8f
Link:
https://www.unpac.me/results/39aad636-b00f-49d5-b99e-0f40241ddd8d/
SH256 hash:
9f90e6711618a1eab9147f90bdedd606fd975b785915ae37e50e7d2538682579
MD5 hash:
24e0494e2312d51c94b3c79b6b6624a3
SHA1 hash:
505adda812658863544bea25d78bd99ebbebef7e
Link:
https://www.unpac.me/results/39aad636-b00f-49d5-b99e-0f40241ddd8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f90e6711618a1eab9147f90bdedd606fd975b785915ae37e50e7d2538682579

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165232/

Comments