MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2d3a21b0f2d7e34ea7498d45676f0e9879e734910c55fd38d1b815bccbe2fda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2d3a21b0f2d7e34ea7498d45676f0e9879e734910c55fd38d1b815bccbe2fda
SHA3-384 hash: 08d4b8707a96dec244cb301c89f883e323b1b8722a4b69e417db265781726a0918db0acf99559de15d91c15f6461e708
SHA1 hash: e75506393e5658671eb59bb24da56aff61b22097
MD5 hash: 28babff4bf714869ede6763962b401f6
humanhash: nuts-venus-lion-snake
File name:SecuriteInfo.com.Troj.Androm-TY.10046.27768
Download: download sample
Signature CryptBot
Create hunting rule
File size:728'064 bytes
First seen:2021-04-16 20:49:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fc39213713180aae00d5962f7c21023 (1 x CryptBot)
ssdeep 12288:QP8Twnt2BfYyPXDBQQockSCdEDSjZPkbkBlxxQXg2T1fFWvzoD0:bTjBAsNPoJSNSPTxjOZFWvUw
Threatray 143 similar samples on MalwareBazaar
TLSH F2F4011132E0C073C17336768524CBB25EBABDB59A658A8F6BC9067C9F347D19F2170A
Reporter SecuriteInfoCom
Tags:CryptBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Troj.Androm-TY.10046.27768
Verdict:
Malicious activity
Analysis date:
2021-04-16 20:52:21 UTC
Tags:
stealer trojan
Link:
https://app.any.run/tasks/c6d779b4-29f1-45cd-a0f8-06f93f3af3e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/136455/
Detection(s):
SecuriteInfo.com.Troj.Androm-TY.10046.27768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Delayed reading of the file
Reading critical registry keys
Creating a window
DNS request
Connection attempt
Sending an HTTP POST request
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b0c291c-82cb-48a0-aac7-7798a650d660
Result
Threat name:
Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/681937
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 389920 Sample: SecuriteInfo.com.Troj.Andro... Startdate: 16/04/2021 Architecture: WINDOWS Score: 100 82 Multi AV Scanner detection for domain / URL 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 11 other signatures 2->88 11 SecuriteInfo.com.Troj.Androm-TY.10046.exe 50 2->11         started        16 SmartClock.exe 2->16         started        18 SmartClock.exe 2->18         started        process3 dnsIp4 76 awuiua07.top 35.230.174.9, 49722, 49723, 80 GOOGLEUS United States 11->76 78 maroiv05.top 35.230.85.144, 49721, 80 GOOGLEUS United States 11->78 80 aufyus52.top 47.254.130.231, 49719, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 11->80 64 C:\Users\user\AppData\Local\Temp\Parus.exe, PE32 11->64 dropped 66 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 11->66 dropped 106 Detected unpacking (changes PE section rights) 11->106 108 Detected unpacking (overwrites its own PE header) 11->108 110 Tries to harvest and steal browser information (history, passwords, etc) 11->110 20 Parus.exe 19 11->20         started        24 cmd.exe 1 11->24         started        file5 signatures6 process7 file8 58 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 20->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 20->60 dropped 62 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 20->62 dropped 90 Multi AV Scanner detection for dropped file 20->90 92 Machine Learning detection for dropped file 20->92 26 vpn.exe 7 20->26         started        28 4.exe 4 20->28         started        94 Submitted sample is a known malware sample 24->94 96 Obfuscated command line found 24->96 98 Uses ping.exe to sleep 24->98 100 Uses ping.exe to check the status of other devices and networks 24->100 31 conhost.exe 24->31         started        33 timeout.exe 1 24->33         started        signatures9 process10 file11 35 cmd.exe 1 26->35         started        37 makecab.exe 1 26->37         started        68 C:\Users\user\AppData\...\SmartClock.exe, PE32 28->68 dropped 39 SmartClock.exe 28->39         started        process12 process13 41 cmd.exe 3 35->41         started        44 conhost.exe 35->44         started        46 conhost.exe 37->46         started        signatures14 102 Obfuscated command line found 41->102 104 Uses ping.exe to sleep 41->104 48 PING.EXE 41->48         started        51 Mano.exe.com 41->51         started        53 findstr.exe 1 41->53         started        process15 dnsIp16 70 127.0.0.1 unknown unknown 48->70 72 192.168.2.1 unknown unknown 48->72 55 Mano.exe.com 51->55         started        process17 dnsIp18 74 kqtiaVthdJOR.kqtiaVthdJOR 55->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2d3a21b0f2d7e34ea7498d45676f0e9879e734910c55fd38d1b815bccbe2fda/
Threat name:
Win32.Trojan.Ulise
Create hunting rule
Status:
Malicious
First seen:
2021-04-16 20:24:15 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0bdb7a98c650426ff70b666a8a1f28b421a6135e729a70baf87a5c126fbd788a
CryptBot
12f0a80b6374b38a3997a7ef4528f26ccbca664b26e48533e7d1f36c78da76f4
CryptBot
26e294b557033c04b7a9039b6e2ef1ec35f8c3ec1a06be3d7b73ddd3ff10395c
CryptBot
4b6f69b3ade95902351f28e2862234569b3ddd1166b1e936441b530524a32c33
CryptBot
76ddf24374fc1975cbdeb30718badfa60d15ba78f4123e56c46c5f370622ef77
CryptBot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
CryptBot
ac2c2e2b67deca31d1f61ff956ef8b676fa733da9c682f26fbda28b46c6e6f63
CryptBot
c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb
CryptBot
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
CryptBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
CryptBot
+ 133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210416-8pez9qyrmj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2d3a21b0f2d7e34ea7498d45676f0e9879e734910c55fd38d1b815bccbe2fda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe a2d3a21b0f2d7e34ea7498d45676f0e9879e734910c55fd38d1b815bccbe2fda

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/136455/
  
URLhaus
https://urlhaus.abuse.ch/url/1127420/
  
Delivery method
Distributed via web download

Comments