MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CryptBot

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f
SHA3-384 hash:	af6bc0e3c61d2c066f403282fb15c0b6d7121fbf6590e3d0fd90b35e4d1e148d178db5df346101b2404212c8ad4f8018
SHA1 hash:	a018b557975a35fa8c001a43a55d08cef7d426f2
MD5 hash:	67846d1862f63942b00eb61e47be2652
humanhash:	pennsylvania-nebraska-finch-music
File name:	file
Download:	download sample
Signature	CryptBot Create hunting rule
File size:	2'601'917 bytes
First seen:	2024-08-13 13:07:11 UTC
Last seen:	2024-08-14 04:06:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	196992c146062db84cbd73903ca4b0ad (7 x CryptBot)
ssdeep	24576:jwda+neGKs33WaOAv48rTlcIN6Khi6UySec31Wnn+heWMKEImx8WtylVJnNtPXXn:f23xASuhKVmU+4WMKM9chFv
TLSH	T108C5C76BED0356CCC093F6B3A9D3BA2BA8246F18412E892F9D068C16F7557917C7D213
TrID	32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 20.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	Bitsight
Tags:	CryptBot exe

Bitsight

url: http://185.215.113.16/inc/1111.exe

Intelligence

File Origin

# of uploads :

# of downloads :

411

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-08-13 13:10:57 UTC

Tags:

stealer cryptbot

Link:

https://app.any.run/tasks/69635525-ff0c-4ec3-b7ed-d81c00dcefba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Barys-10032866-0

Win.Malware.Zusy-10033309-0

Win.Malware.Zusy-10033341-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66bb5ab4b35234d5cc65dbcd

Tags:

Encryption Network Stealth

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending an HTTP POST request

Creating a window

Reading critical registry keys

Stealing user critical data

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

anti-debug overlay

Link:

https://www.filescan.io/uploads/66bb5ab4b70f08db50c5f7b5/reports/a0381e93-f552-421c-958d-53815831f517/overview

Verdict:

Malicious

Labled as:

Dacic.3471.Generic

Link:

https://www.hybrid-analysis.com/sample/b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/bef3e721-3f21-41df-9ba5-0c7ef58f4595

Result

Threat name:

Cryptbot

Detection:

malicious

Classification:

troj.spyw

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1492177

Signature

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Cryptbot

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f/

Threat name:

Win32.Trojan.Cryptnot

Status:

Malicious

First seen:

2024-08-13 13:08:06 UTC

File Type:

PE (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xdpxbubcpzbhp6uodyxp434gytaip5qknb2evke57a6rzxiveu7q._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access discovery spyware stealer

Link:

https://tria.ge/reports/240813-qc7xbszdjj/

Behaviour

Checks processor information in registry

System Location Discovery: System Language Discovery

Checks installed software on the system

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a79590d8-1e12-4b8c-a4de-9ce2ac0e3cd1

Unpacked files

SH256 hash:

b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f

MD5 hash:

67846d1862f63942b00eb61e47be2652

SHA1 hash:

a018b557975a35fa8c001a43a55d08cef7d426f2

Link:

https://www.unpac.me/results/34d9b2cb-bab5-42f1-b3c5-1f15fcacbe84/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.97

Link:

https://yomi.yoroi.company/submissions/b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of MFA browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

exe b8df70d0227e4277fa8e1e2efe6f86c4c087f60a68744aa89df83d1cdd15253f

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3102108/

URLhaus

https://urlhaus.abuse.ch/url/3102112/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample