MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b58ae02c20b5b5780660b6a7c2d9112e5d367e27b22164ea3c739c8326fc2a02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b58ae02c20b5b5780660b6a7c2d9112e5d367e27b22164ea3c739c8326fc2a02
SHA3-384 hash: 14cf7e1b916fc1a689fcd73d2b22a209f4348206d62cb3ebd3745a505a9feaa846c192d42a87662abe796c36c493064f
SHA1 hash: d5ab2037d6ae48c48199ae303dc7948ce3c2f54e
MD5 hash: 7eeca3c0b5965628f45011c86b265309
humanhash: papa-georgia-dakota-ohio
File name:setup_x86_x64_install2.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'921'539 bytes
First seen:2021-07-03 06:23:08 UTC
Last seen:2021-07-03 06:54:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e04eb610508ddb951732064297e50b65 (6 x CryptBot)
ssdeep 24576:2/T4vZzcDlxMW7S/IETy76b2ndHn+Y2SaE33nQq4KjLjBsYGg1twBedOroA5SKUo:2bkawW7qgGbKdHnDnHP9XzwMcWaXKY
TLSH 17950243A3CADFF4F8B4823158A7F33421DC9B3645E50E07295DED2256AA982B0F6D4D
Reporter RTrappman
Tags:CryptBot exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://moraid05.top/index.php https://threatfox.abuse.ch/ioc/157139/
http://xeiqvo57.top/index.php https://threatfox.abuse.ch/ioc/157363/

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install2.exe
Verdict:
Malicious activity
Analysis date:
2021-07-03 06:29:29 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/67b061aa-040a-4d89-83ee-eaa99567d05a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169476/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

PUA.Win.File.Zegost-9629018-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33e1362f-5240-45de-9c47-5edc7e9b6b54
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/811350
Signature
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443761 Sample: setup_x86_x64_install2.exe Startdate: 03/07/2021 Architecture: WINDOWS Score: 68 36 Multi AV Scanner detection for submitted file 2->36 38 Machine Learning detection for sample 2->38 9 setup_x86_x64_install2.exe 7 2->9         started        process3 signatures4 40 Contains functionality to register a low level keyboard hook 9->40 12 cmd.exe 1 9->12         started        process5 signatures6 42 Submitted sample is a known malware sample 12->42 44 Obfuscated command line found 12->44 46 Uses ping.exe to sleep 12->46 48 Uses ping.exe to check the status of other devices and networks 12->48 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 50 Obfuscated command line found 15->50 52 Uses ping.exe to sleep 15->52 20 PING.EXE 1 15->20         started        23 Corpo.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 32 192.168.2.1 unknown unknown 20->32 27 Corpo.exe.com 23->27         started        process11 dnsIp12 34 BEZUrNzuVrtXuEDkgQ.BEZUrNzuVrtXuEDkgQ 27->34
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b58ae02c20b5b5780660b6a7c2d9112e5d367e27b22164ea3c739c8326fc2a02/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-03 01:40:00 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwfoalbaww2xqbtaw2t4fwirfzotm7rhwiqwj2r4oooigjx4fiba._file
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210703-ekjvgf3kjx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
0a68e0570b9a645518dbde7ca327dade4cb516e214e551e8da01d53fd9ba554f
MD5 hash:
8fc3d3217ae6473b0c13cc54bb420638
SHA1 hash:
1553ccc779c834e7bf842c8591a2306562561e2d
Link:
https://www.unpac.me/results/151ca784-74e8-4514-9dc8-707cfd07d0c0/
SH256 hash:
b58ae02c20b5b5780660b6a7c2d9112e5d367e27b22164ea3c739c8326fc2a02
MD5 hash:
7eeca3c0b5965628f45011c86b265309
SHA1 hash:
d5ab2037d6ae48c48199ae303dc7948ce3c2f54e
Link:
https://www.unpac.me/results/151ca784-74e8-4514-9dc8-707cfd07d0c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b58ae02c20b5b5780660b6a7c2d9112e5d367e27b22164ea3c739c8326fc2a02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169476/

Comments