MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad692da30708a48f79ec4ac1e1dcbe70ef2da368e704a019b70c410ce610daef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 7


Intelligence 7 IOCs 3 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad692da30708a48f79ec4ac1e1dcbe70ef2da368e704a019b70c410ce610daef
SHA3-384 hash: 99dc34c9785c922551a81644aa7577f67b96c0fa162bc84b5f5e820f8be1b644dc8684cc3cc87fdc39bcc5ae264ebf70
SHA1 hash: cfe440a61f8d71b3e7f940f70a394cec33e7d348
MD5 hash: bc77142742a9c68969d4fec89f940fe8
humanhash: jupiter-victor-georgia-double
File name:bc77142742a9c68969d4fec89f940fe8.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:329'216 bytes
First seen:2021-04-18 13:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c3800c56dd787c3bbf0c039fc8079bf1 (2 x CryptBot)
ssdeep 6144:b2L2Ai5swZKCrhB1pquxbsPHCD1aX+DA0g4hpp:b2Sb5swZKCh/pdxMCDQsAV+p
Threatray 1'491 similar samples on MalwareBazaar
TLSH 6964BE1133E0C133D49320758516CBB18EBA747567659ACFBBD90EB86F28BE1A73530A
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://legend0.ru/cfg/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://legend0.ru/cfg/ https://threatfox.abuse.ch/ioc/8849/
http://maruil07.top/index.php https://threatfox.abuse.ch/ioc/8855/
http://aufvhu72.top/index.php https://threatfox.abuse.ch/ioc/8856/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc77142742a9c68969d4fec89f940fe8.exe
Verdict:
Malicious activity
Analysis date:
2021-04-18 13:11:34 UTC
Tags:
trojan loader taurus stealer predator evasion
Link:
https://app.any.run/tasks/e77f15b4-a7c2-49a9-8842-86da94104ee7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137726/
Detection(s):
Win.Malware.Generic-9852694-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Creating a process from a recently created file
Containing strings that indicate a threat
Reading critical registry keys
Creating a file
Replacing files
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for the window
Delayed reading of the file
Creating a window
Connection attempt
Sending an HTTP POST request
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/685003
Signature
Antivirus detection for URL or domain
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 391450 Sample: gTqtH6gpC1.exe Startdate: 18/04/2021 Architecture: WINDOWS Score: 100 90 bQlpziSOkRF.bQlpziSOkRF 2->90 92 ip-api.com 2->92 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for URL or domain 2->112 114 11 other signatures 2->114 12 gTqtH6gpC1.exe 24 2->12         started        17 SmartClock.exe 2->17         started        signatures3 process4 dnsIp5 102 gcleanin.in 8.211.4.107, 49738, 49739, 49741 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 12->102 104 iplogger.org 88.99.66.31, 443, 49758, 49759 HETZNER-ASDE Germany 12->104 106 2 other IPs or domains 12->106 82 C:\Users\user\AppData\...\98420568159.exe, PE32 12->82 dropped 84 C:\Users\user\AppData\...\38977367845.exe, PE32 12->84 dropped 86 C:\Users\user\AppData\Local\...\file[1].exe, PE32 12->86 dropped 88 3 other files (2 malicious) 12->88 dropped 136 Detected unpacking (changes PE section rights) 12->136 138 Detected unpacking (overwrites its own PE header) 12->138 140 May check the online IP address of the machine 12->140 19 cmd.exe 1 12->19         started        21 cmd.exe 1 12->21         started        24 cmd.exe 1 12->24         started        file6 signatures7 process8 signatures9 26 98420568159.exe 49 19->26         started        31 conhost.exe 19->31         started        116 Submitted sample is a known malware sample 21->116 33 38977367845.exe 13 21->33         started        35 conhost.exe 21->35         started        37 taskkill.exe 1 24->37         started        39 conhost.exe 24->39         started        process10 dnsIp11 94 aufvhu72.top 34.106.56.30, 49777, 80 GOOGLEUS United States 26->94 96 maruil07.top 35.230.85.144, 49781, 80 GOOGLEUS United States 26->96 98 awushk10.top 26->98 78 C:\Users\user\AppData\Local\Temp\Bulgir.exe, PE32 26->78 dropped 80 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 26->80 dropped 122 Multi AV Scanner detection for dropped file 26->122 124 Detected unpacking (changes PE section rights) 26->124 126 Detected unpacking (overwrites its own PE header) 26->126 128 Tries to harvest and steal browser information (history, passwords, etc) 26->128 41 Bulgir.exe 26->41         started        45 cmd.exe 26->45         started        100 legend0.ru 8.209.110.86, 49749, 49766, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 33->100 130 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->130 132 Tries to steal Mail credentials (via file access) 33->132 134 Machine Learning detection for dropped file 33->134 47 WerFault.exe 23 9 33->47         started        file12 signatures13 process14 file15 72 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 41->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 41->74 dropped 76 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 41->76 dropped 118 Multi AV Scanner detection for dropped file 41->118 120 Machine Learning detection for dropped file 41->120 49 4.exe 41->49         started        52 vpn.exe 41->52         started        54 conhost.exe 45->54         started        56 timeout.exe 45->56         started        signatures16 process17 file18 70 C:\Users\user\AppData\...\SmartClock.exe, PE32 49->70 dropped 58 SmartClock.exe 49->58         started        60 cmd.exe 52->60         started        62 makecab.exe 52->62         started        process19 process20 64 conhost.exe 60->64         started        66 cmd.exe 60->66         started        68 conhost.exe 62->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad692da30708a48f79ec4ac1e1dcbe70ef2da368e704a019b70c410ce610daef/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvus3iyhbcsi66pmjla6dxf6odxs3i3i44ckagnxbraqzzqq3lxq._file
Verdict:
malicious
Similar samples:
2c2d88dbff1f9196148cc3c7501d4c45b05ef51887651b3bcdbb111fcc7a2ba2
CryptBot
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
CryptBot
52693062f8af884f53bc708c947256273d6362ba955b5b16653557f80150925c
CryptBot
596ab1ddff660a3cd00e14f5e43d5af6a0ad03a41d07a51344b8eb61a594d27f
CryptBot
862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c78f715be65f5d72724c
CryptBot
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
CryptBot
bcc495c75df0a47f59a60fdfb870bf833f0d320aff3f1e316f1cd96b5e578c07
CryptBot
dd7211d8c5d8b0e6290b9eb79787d64b73a91bde129ccc2d83525c4a8d24a531
CryptBot
f577b55f66304cbec61d7504a51ef5669eaf0d5731f236410c3939e515e56040
CryptBot
fac9410d22c0e26ebfb6aa70649656a38685924cfb37638f95f35eb46b0cb71a
CryptBot
+ 1'481 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210418-vjvdk6c65s/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe ad692da30708a48f79ec4ac1e1dcbe70ef2da368e704a019b70c410ce610daef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1135384/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/137726/

Comments