MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aef5d4d5dc8d4c03c42af785cf547f7e43ebc256a15e013cca7561355b27c824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aef5d4d5dc8d4c03c42af785cf547f7e43ebc256a15e013cca7561355b27c824
SHA3-384 hash: 00af56d53125b5781e13cb35dfaa419a1e0e198528b0b13328f7ec9d8a954b609bcda0425e95362978cf55a3d24e9168
SHA1 hash: 4aa5f234d023c0733b988d425cc156a798a40f19
MD5 hash: 5eb5af4094a58950038f47271dfeb7d1
humanhash: fillet-apart-zebra-lithium
File name:Setup.exe
Download: download sample
Signature Cryptbot
Create hunting rule
File size:1'917'819 bytes
First seen:2021-07-05 10:06:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e04eb610508ddb951732064297e50b65 (6 x CryptBot)
ssdeep 49152:8bkyHXqs8gcCG7w6rqrt2l+zRmI0xaCH8:8bkyH6yG7cbRmD3H8
Threatray 301 similar samples on MalwareBazaar
TLSH CC95E01226AB9431C4CA89B25070FDE3D1A6EF8C2BD8A567666427F6DEF318C5530F43
Reporter CholeVallabh
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-07-05 10:09:35 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/85703504-31b8-4939-949d-e3ca2969df5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169720/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

PUA.Win.File.Zegost-9629018-0
Create hunting rule

SecuriteInfo.com.BAT.Drop.2756.10151.21900.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/abef2cd7-6974-4f06-ba8f-c2bfba09aa09
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/811807
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444218 Sample: Setup.exe Startdate: 05/07/2021 Architecture: WINDOWS Score: 96 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 3 other signatures 2->40 9 Setup.exe 7 2->9         started        process3 signatures4 42 Contains functionality to register a low level keyboard hook 9->42 12 cmd.exe 1 9->12         started        process5 signatures6 44 Submitted sample is a known malware sample 12->44 46 Obfuscated command line found 12->46 48 Uses ping.exe to sleep 12->48 50 Uses ping.exe to check the status of other devices and networks 12->50 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 52 Obfuscated command line found 15->52 54 Uses ping.exe to sleep 15->54 20 PING.EXE 1 15->20         started        23 Ore.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 27 Ore.exe.com 23->27         started        process11 dnsIp12 32 tPDIsWawhpDNFyearrcFDHACMRvJ.tPDIsWawhpDNFyearrcFDHACMRvJ 27->32
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aef5d4d5dc8d4c03c42af785cf547f7e43ebc256a15e013cca7561355b27c824/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 10:07:09 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
29e9301a2a4536910df563d965e6f7017786f229133c19b925216b0c056423b9
Cryptbot
5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9
Cryptbot
65ab84623b8caddbaf3e6819675b14f4e66da969cf580c46d1e559deb03bd89a
Cryptbot
8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9
Cryptbot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
Cryptbot
a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
Cryptbot
bff4375a0d35102b53ca3dbc8811638091b9b2df65bec2b7fc6a38cbf50d0a45
Cryptbot
e9da1da3a4fb2050b9b17f5dbb1dd5f334f22637fc8186052d152cc631839f9b
Cryptbot
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
Cryptbot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
Cryptbot
+ 291 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210705-vpwdws1fwn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
d0c2208cac9cf894507b4d442c821dc2d85fd7fbb0d0ff5bc181cec4b3bfc6b9
MD5 hash:
7d0827371ad8d2a3c017fdd9b380edd3
SHA1 hash:
c2c1f423b6d22dc91b69e2261bd447e7f9f18640
Link:
https://www.unpac.me/results/02338362-0c07-4c32-808d-d76e1acc4315/
Parent samples :
c9e1de1c6ddd3ffd9c87ebdbcf9bd5b7064af9f60f650ae50573b05a49af8327
1e71bcb4133949eaa1bead27b4e01f03f7802c6b92f61acbb6b8d7c8faf419d7
3ecf5237981fc6575586fe2e13f9afe240b132b58d7bc071296ec3816b150d26
bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772
feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36
f8387262e71195a4db4a0ca0fe68b973e225b8dfe7b475580d19240a760d1e73
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
5e30143f53af82ff891d9801ccff6b30e3dc7f3401bba597accb26e2d3b8b25d
fa5995b67f40f6c2cf7f3edba1e5a2213f2b083a35b13503af7a6203b4b8c33a
a6b218813c937087c078983f17d2520b0c2e7ad5d0cc41bfdf1d0cb540e4470a
440a157bbd8c8332d4edc63e6dc1399777e73bfb7ef3c5a356ab98fa56d1feea
95fb9ca82017f2a6bc59df0d72fc6f90043e135799d25e9922d4943da4c36874
007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512
9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba
c71463ac4fb8dd985b249b61e54888137bea84dab7c202546e230eb450fc0969
34b896d2e6470b2bd8facb9a796e0a521b78ec4956a573b5b38cacdc42622caa
8b738c9057baa2c3219120919226e95659cccec0dc61aca579bba58c7090719e
f6b2cd5327818418db45f70ed99bc6751d836eaf503a9bf33602af0c74f61e83
b426a6cb4005e266bf9b91b30d46fbbd0d6c541ac40d295aa99b8b7ef45e0edf
d43af0c0a5058412c903698b4ac55f150f6a20cac43344b5a596906780dac1f7
b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8
1d40c76cecaabdf1e1d0004aa15cb469aa4374d1d0b2e48a47e588b1f84113d6
afdb413119fa2e0755a4885146d44547b97096d700d2b1236c6aba8f9bb9719d
7e74f3e8d070de8a3d3488dc7e68281d2450f28f79ee84edf3e0ea7c62bd7f91
d11d8d13e611c17ae61db286984170b2eb6802d2c23630e3211b9cfddaef09e6
d1dae6a275073c722606d35b783b4d176c0d8e0feff6c903c27ab9f0f8d7ab07
7c86e8c4143be0e27af9558ca46b3b4d7c5bee5e58e18902757bc02f6a3863a2
28319673d8f382142e223302ede1e0e497ccac2cd7a9814715726335e78c29c7
b130fe2fceada2a1980b6a0015c1bc1a9c1ee08f6229d99e43de82351da541fa
48a4042854a402824d35f4c95aed1e448d652d79ed0c251635acbc073200dfcf
e1f193deaa71595b668320d294635988f66c0f1ab1ab218e08fe3ae87fe10838
90f608b784fc8eac0a899d6aec257ec4beaf836e0cc808c7496f131aba61bef0
8435702911a3d6ebac7acef5aff7bc30395427892c1ddf39647b912a93260258
5bbb7a91ebfa925b0765103006bdde91f19c648ae792fab9dbc73832f3b2423c
SH256 hash:
aef5d4d5dc8d4c03c42af785cf547f7e43ebc256a15e013cca7561355b27c824
MD5 hash:
5eb5af4094a58950038f47271dfeb7d1
SHA1 hash:
4aa5f234d023c0733b988d425cc156a798a40f19
Link:
https://www.unpac.me/results/02338362-0c07-4c32-808d-d76e1acc4315/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aef5d4d5dc8d4c03c42af785cf547f7e43ebc256a15e013cca7561355b27c824

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169720/

Comments