MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
SHA3-384 hash: 376ca9e6732a1a8d30cdc36aa492079a24c215f41b25ac24979708afd6d70a250891c6c6296eaf94f5a142a94dc13701
SHA1 hash: 443b015041e47df9415751a3a53f13d35bdc1c99
MD5 hash: 93fcd145230a1874c388a83533d6f83d
humanhash: charlie-florida-hydrogen-white
File name:93fcd145230a1874c388a83533d6f83d.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'245'964 bytes
First seen:2021-03-23 16:04:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:J1xDC6E6A4e2dE/id78jDXibnJw7DYyehWYmZP4+NZ:jcgAujW3u4YyeoY6Z
Threatray 225 similar samples on MalwareBazaar
TLSH 28A533489A80AD7FE9BB7F7116E507AD3BE9F8201C15F632774034DE566230AC904E9B
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://crackedlink.com/cyberlink-powerdirector-crack/
Verdict:
Malicious activity
Analysis date:
2021-03-24 01:56:18 UTC
Tags:
autoit stealer trojan loader evasion
Link:
https://app.any.run/tasks/2ec9bb5e-6dea-462d-98a1-3ec5880c857a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126719/
Detection(s):
SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/650326
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 374122 Sample: ayFeeRKhzS.exe Startdate: 23/03/2021 Architecture: WINDOWS Score: 100 96 iplogger.org 2->96 114 Multi AV Scanner detection for dropped file 2->114 116 Multi AV Scanner detection for submitted file 2->116 118 Detected unpacking (changes PE section rights) 2->118 120 8 other signatures 2->120 12 ayFeeRKhzS.exe 21 2->12         started        15 SmartClock.exe 2->15         started        17 SmartClock.exe 2->17         started        signatures3 process4 file5 86 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 12->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 12->88 dropped 90 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 12->90 dropped 92 2 other files (1 malicious) 12->92 dropped 19 6.exe 7 12->19         started        22 vpn.exe 7 12->22         started        24 5.exe 179 12->24         started        28 4.exe 4 12->28         started        process6 dnsIp7 76 C:\Users\user\AppData\Roaming\...\Tutte.dotx, COM 19->76 dropped 30 cmd.exe 1 19->30         started        33 svchost.exe 19->33         started        35 cmd.exe 1 22->35         started        37 svchost.exe 22->37         started        106 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49691 GOOGLEUS United States 24->106 108 doc-0g-04-docs.googleusercontent.com 24->108 78 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 24->78 dropped 80 C:\Users\user\AppData\Local\...\Active.exe, PE32+ 24->80 dropped 82 C:\Users\user\AppData\...\AutoIt3_x64.exe, PE32+ 24->82 dropped 122 Query firmware table information (likely to detect VMs) 24->122 124 Sample is not signed and drops a device driver 24->124 39 cmd.exe 24->39         started        110 192.168.2.1 unknown unknown 28->110 84 C:\Users\user\AppData\...\SmartClock.exe, PE32 28->84 dropped 41 SmartClock.exe 28->41         started        file8 signatures9 process10 signatures11 136 Submitted sample is a known malware sample 30->136 138 Obfuscated command line found 30->138 140 Uses ping.exe to sleep 30->140 142 Uses ping.exe to check the status of other devices and networks 30->142 43 cmd.exe 3 30->43         started        46 conhost.exe 30->46         started        48 cmd.exe 3 35->48         started        50 conhost.exe 35->50         started        process12 signatures13 52 Taciturna.exe.com 43->52         started        54 PING.EXE 43->54         started        57 findstr.exe 43->57         started        130 Obfuscated command line found 48->130 132 Uses ping.exe to sleep 48->132 59 Molta.exe.com 48->59         started        62 findstr.exe 48->62         started        65 PING.EXE 48->65         started        process14 dnsIp15 67 Taciturna.exe.com 52->67         started        104 127.0.0.1 unknown unknown 54->104 134 May check the online IP address of the machine 59->134 70 Molta.exe.com 59->70         started        94 C:\Users\user\AppData\...\Molta.exe.com, Targa 62->94 dropped file16 signatures17 process18 dnsIp19 98 EqzbRWphRAoFVnLs.EqzbRWphRAoFVnLs 67->98 100 rhRDHAYtAoQHDCIZfrnmk.rhRDHAYtAoQHDCIZfrnmk 70->100 102 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 70->102 72 wscript.exe 70->72         started        process20 dnsIp21 112 iplogger.org 88.99.66.31, 443, 49708, 49709 HETZNER-ASDE Germany 72->112 126 System process connects to network (likely due to code injection or exploit) 72->126 128 May check the online IP address of the machine 72->128 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 11:27:36 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wmkuiva6xtnow52g2qalknhazze2xncnlerkzlfkczj4jewl2zia._file
Verdict:
malicious
Similar samples:
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812
CryptBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
CryptBot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
CryptBot
9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b
CryptBot
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
CryptBot
bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
CryptBot
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
f5acccf9cda0f0ff2063de3983bc8964b9020d30feff2e3a8b20800d3c4fe034
CryptBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
CryptBot
+ 215 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery evasion miner spyware stealer
Link:
https://tria.ge/reports/210323-x6nrslxde6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Sets file to hidden
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
ec63591e0f0056eb11838888e19f4569b1890088b1a5b79bcb7e0707e9b5e1aa
MD5 hash:
a5cce8ef929493606198678cd0ada726
SHA1 hash:
705808b0d6a6cf948720b690a347479f5777feb9
Link:
https://www.unpac.me/results/62cf50c8-9d1c-4dab-b761-95d7d7d5d1d8/
SH256 hash:
63b3d6c451a4938e0c4261639e7a3739c59bfff94d77493e935ad550270c0d2b
MD5 hash:
0d412e71fedce55b23547cca8b4ca463
SHA1 hash:
c0fae0185344c5c69a4218b450b373ec8f630e2f
Link:
https://www.unpac.me/results/62cf50c8-9d1c-4dab-b761-95d7d7d5d1d8/
SH256 hash:
a56d515897f4d9d336602a1809949629f0e79e1fa0d55154b3b1121fb6138085
MD5 hash:
b3d3f51c4249eeaa7d5245ea4f8c7460
SHA1 hash:
2a3627e3aeeab195eec76c2a65394d178c954f9f
Link:
https://www.unpac.me/results/62cf50c8-9d1c-4dab-b761-95d7d7d5d1d8/
SH256 hash:
c9b35cd2370bb82640f1ef41aaa183acc4b8f175fce51c1c2c1be673f80e284b
MD5 hash:
d65e17f567926bb9db5f439980fd03f9
SHA1 hash:
b4262d2882e45dcff2c576ccd9ac32103e67d77b
Link:
https://www.unpac.me/results/62cf50c8-9d1c-4dab-b761-95d7d7d5d1d8/
SH256 hash:
b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
MD5 hash:
93fcd145230a1874c388a83533d6f83d
SHA1 hash:
443b015041e47df9415751a3a53f13d35bdc1c99
Link:
https://www.unpac.me/results/62cf50c8-9d1c-4dab-b761-95d7d7d5d1d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/126719/
  
URLhaus
https://urlhaus.abuse.ch/url/1085941/
  
Delivery method
Distributed via web download

Comments