MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df
SHA3-384 hash: 08635907ba9d73a1959a83ac8e168136c7da05ea3d3edfb5c17eedb46ed8c4ddcc84ed72bdf5e1f3f20ec2a71652d5fb
SHA1 hash: c1076efa4f4dab9890cf04164366251467515a31
MD5 hash: 731ba8db421ddaff4337a141afd214ae
humanhash: harry-october-single-apart
File name:bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'015'592 bytes
First seen:2021-10-04 17:26:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e51ee40ae0ed0decdf850b45dd7e4ce6 (1 x CryptBot, 1 x RedLineStealer)
ssdeep 24576:4QJShOWYqQnzsQNvQFe0MTMoBNE+OycrhZkI:nJShdqsQNvQF9MTMoHohZ
Threatray 35 similar samples on MalwareBazaar
TLSH T1E525001165609F3BF0B927705068F19567B4ACB2D710A3FAE1C43AAA6FF02D36568F13
File icon (PE):PE icon
dhash icon 306870b2b2b2b2a8 (1 x CryptBot)
Reporter Anonymous
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 16:43:08 UTC
Tags:
stealer trojan
Link:
https://app.any.run/tasks/309f6933-0b3e-4ad6-a22d-9965e8213be2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194760/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Searching for the window
Creating a file in the Windows subdirectories
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615c108898a6280f39324db4/reports/9d9e6807-26e5-4de9-99b0-e6f5c993cde7/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35fd45c0-afb7-4a78-acd8-7a91a7819abc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/864217
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496643 Sample: lfNKmms6qs.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 68 53 Multi AV Scanner detection for submitted file 2->53 55 Machine Learning detection for sample 2->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 2->57 11 lfNKmms6qs.exe 1 5 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        18 dllhost.exe 11->18         started        signatures5 63 Submitted sample is a known malware sample 15->63 65 Obfuscated command line found 15->65 67 Uses ping.exe to check the status of other devices and networks 15->67 20 cmd.exe 3 15->20         started        23 conhost.exe 15->23         started        process6 signatures7 61 Obfuscated command line found 20->61 25 Perde.exe.com 20->25         started        27 PING.EXE 1 20->27         started        30 findstr.exe 1 20->30         started        process8 dnsIp9 33 Perde.exe.com 38 25->33         started        51 127.0.0.1 unknown unknown 27->51 43 C:\Users\user\AppData\Local\...\Perde.exe.com, Targa 30->43 dropped file10 process11 dnsIp12 45 befmug17.top 185.221.154.51, 49764, 80 RUWEBRU Russian Federation 33->45 47 195.123.220.96, 49815, 80 ITLDC-NLUA Bulgaria 33->47 49 2 other IPs or domains 33->49 59 Tries to harvest and steal browser information (history, passwords, etc) 33->59 37 cmd.exe 1 33->37         started        signatures13 process14 process15 39 conhost.exe 37->39         started        41 timeout.exe 1 37->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df/
Threat name:
Win32.PUA.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-04 17:27:13 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xo36sioafrcdm7ytkm2fhltnhk4dsdob46so6j7myzk3o2zsjdpq._file
Verdict:
suspicious
Similar samples:
337b9f5f13ee874ebe70fd5468725b638eb7b62c4f8c91a6e2a7deab8f5edbb6
CryptBot
4f3ba9f2d7e8979ac9fe1be297c90314a2ee9065bfcf0073c2b1815c425b16db
CryptBot
6563baa395257badd656572083aa05dc277e6516f079da5c0eddf0b6bbee4ffc
CryptBot
70d01c6918c07b4cd0daa9b2c688fbd7e0e2e6f77831c9bd351be29a7991e1d3
CryptBot
90145ecdcdb80f34c3246bc485a714535af298d7bd195e79bd2174fda5a714ec
CryptBot
a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce
CryptBot
c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b
CryptBot
e0bc481d34f12788300cff55706ef6352f59e3c206b930ca08b2f7c76af3e795
CryptBot
e7e206cee63cf56f1818aa706ba3e7beb42daded2e40ed3c82caf0eee52e120d
CryptBot
fb044b65aca85f2778a512ef1a48d4d3d2807f0e6d3e82a038ca39f6e37b6197
CryptBot
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/211004-v1emxagghk/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
49d3df575e4484c05bd02db6c700096f2365a0055009d200839a01814f9e16c0
MD5 hash:
777fd4a4d1ed8adcbec4ae41443ec0f2
SHA1 hash:
cc2f91817903d90e7670c1f3dd69c2ac0c8d3454
Link:
https://www.unpac.me/results/5b2e6969-f27c-45ca-be6b-976f8df2da11/
SH256 hash:
bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df
MD5 hash:
731ba8db421ddaff4337a141afd214ae
SHA1 hash:
c1076efa4f4dab9890cf04164366251467515a31
Link:
https://www.unpac.me/results/5b2e6969-f27c-45ca-be6b-976f8df2da11/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bbb7e921c02c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df

(this sample)

anyrun
any.run
https://app.any.run/tasks/309f6933-0b3e-4ad6-a22d-9965e8213be2/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194760/

Comments