MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a300239150c8818d18e9a0df037ffd76d4467a84b8918543c227f8059cb4599f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a300239150c8818d18e9a0df037ffd76d4467a84b8918543c227f8059cb4599f
SHA3-384 hash: 18e5a9f2a0295a22ca82b154811d14a0ecff513ee6eaf0bb921bbff1e8c2860984bc07d62bd76784e5ae1099f347bc2d
SHA1 hash: 7057968147e4f60f5adffeaea9b1ab7363189a84
MD5 hash: 9df352d5f866df1a1e1b6ca0dbf249e7
humanhash: maryland-lima-march-winner
File name:9df352d5f866df1a1e1b6ca0dbf249e7
Download: download sample
Signature Cryptbot
Create hunting rule
File size:1'245'002 bytes
First seen:2021-07-16 10:02:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:Zg1ZoefTY3tmKNxMU35hgqjcuVnRGF1Rz1Q3NLnZeCiOu7cHOPKHUEbTp:21Zoa89LMU59PeQ3WCKVK0EPp
Threatray 339 similar samples on MalwareBazaar
TLSH T1A94523D179E08165E1690EB06A3BD337F73BE5375510E62C970A4E8E7A64023CE34B7A
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f268f8707a3c2a9a2ed4663e60c9cdc0.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 09:45:12 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/a4b6407e-f60b-4585-b9ea-87a9accb4433

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172166/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08a45504-1376-43ae-9384-0f2a7941f9ec
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817403
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449814 Sample: A6uXdzis1N Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 9 other signatures 2->80 11 A6uXdzis1N.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 54 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->58 dropped 60 3 other files (none is malicious) 11->60 dropped 18 vpn.exe 7 11->18         started        20 4.exe 4 11->20         started        process5 file6 23 cmd.exe 1 18->23         started        50 C:\Users\user\AppData\...\SmartClock.exe, PE32 20->50 dropped 26 SmartClock.exe 20->26         started        process7 signatures8 82 Submitted sample is a known malware sample 23->82 84 Obfuscated command line found 23->84 86 Uses ping.exe to sleep 23->86 88 Uses ping.exe to check the status of other devices and networks 23->88 28 cmd.exe 3 23->28         started        31 conhost.exe 23->31         started        process9 signatures10 90 Obfuscated command line found 28->90 92 Uses ping.exe to sleep 28->92 33 Smorta.exe.com 28->33         started        36 PING.EXE 1 28->36         started        39 findstr.exe 1 28->39         started        process11 dnsIp12 72 May check the online IP address of the machine 33->72 42 Smorta.exe.com 3 19 33->42         started        64 127.0.0.1 unknown unknown 36->64 52 C:\Users\user\AppData\...\Smorta.exe.com, Targa 39->52 dropped file13 signatures14 process15 dnsIp16 66 ip-api.com 208.95.112.1, 49739, 80 TUT-ASUS United States 42->66 68 UTTHxeXMrRzwq.UTTHxeXMrRzwq 42->68 62 C:\Users\user\AppData\...\scgcwcwwho.vbs, ASCII 42->62 dropped 46 wscript.exe 12 42->46         started        file17 process18 dnsIp19 70 iplogger.org 88.99.66.31, 443, 49740 HETZNER-ASDE Germany 46->70 94 System process connects to network (likely due to code injection or exploit) 46->94 96 May check the online IP address of the machine 46->96 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a300239150c8818d18e9a0df037ffd76d4467a84b8918543c227f8059cb4599f/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 10:03:06 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umachekqzcay2ghjudpqg775o3kem6uexciykq6ce74alhfulgpq._file
Verdict:
suspicious
Similar samples:
0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49
Cryptbot
12f0a80b6374b38a3997a7ef4528f26ccbca664b26e48533e7d1f36c78da76f4
Cryptbot
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
Cryptbot
349fcfd6f24473d8b0c9429c0f71459a178125b6d42a48129d357ce99eca94fe
Cryptbot
600f6200d1eb3f8cd3371327fd9808b24389a13fc69a39aacc2af5c1d15886fc
Cryptbot
90ac0149296d9e41ed0cac8e96866f26e60b7585f75dddff13f67136ef694b63
Cryptbot
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
Cryptbot
df85a38611751933558ef9e7da81e81025ffc5e5e92cedaf4d97fb0b9f147422
Cryptbot
eb4e54c1372f7002b2b49a9918e67f84d65e52f1b12c5b7313420a48d5305e41
Cryptbot
f35ceca80969fd2b7e78808fbe17aade7468a724562bfab1a2cdd022eba84302
Cryptbot
+ 329 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210716-ez9mkq8lmn/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
7802b26fc8a1f3c0d016253525dd35513cfbe8675b25063ce94bb60256c2c961
MD5 hash:
f38f313ce5ce8725aa6be1a82c85eab7
SHA1 hash:
d5911a8d335c833b51a1f3c30ac84b96282f9000
Link:
https://www.unpac.me/results/ba2a5a72-f1a5-45d1-a3cc-701a9a796957/
SH256 hash:
cbddc35b5112e4c61618d56abd510ea286b973f7b0ac5b98c58befe27602e61a
MD5 hash:
2887b42aa4a4c73b5c056e84f173ebcf
SHA1 hash:
6022dfe020a98ea4d4390b25f19141218211f736
Link:
https://www.unpac.me/results/ba2a5a72-f1a5-45d1-a3cc-701a9a796957/
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/ba2a5a72-f1a5-45d1-a3cc-701a9a796957/
SH256 hash:
a300239150c8818d18e9a0df037ffd76d4467a84b8918543c227f8059cb4599f
MD5 hash:
9df352d5f866df1a1e1b6ca0dbf249e7
SHA1 hash:
7057968147e4f60f5adffeaea9b1ab7363189a84
Link:
https://www.unpac.me/results/ba2a5a72-f1a5-45d1-a3cc-701a9a796957/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a300239150c8818d18e9a0df037ffd76d4467a84b8918543c227f8059cb4599f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLAgent14
Create hunting rule
Author:ditekSHen
Description:Detects downloader injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cryptbot

Executable exe a300239150c8818d18e9a0df037ffd76d4467a84b8918543c227f8059cb4599f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1458756/
Cape
Cape
https://www.capesandbox.com/analysis/172166/

Comments


Avatar
zbet commented on 2021-07-16 10:02:08 UTC

url : hxxp://hofhes07.top/downfiles/lv.exe