MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CryptBot

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
SHA3-384 hash:	1929525b92aaa441bfb8bcae15e4935e54ce05e701e02ddda7f3db2d04ddf0071ca3a16a2f0439fffb4fc74520dee251
SHA1 hash:	bbde84b57981f17f221d47e3c00e54e14e4afcf8
MD5 hash:	d606343bf5f7ba3eb27460606031c257
humanhash:	lemon-robert-shade-sixteen
File name:	d606343bf5f7ba3eb27460606031c257.exe
Download:	download sample
Signature	CryptBot Create hunting rule
File size:	641'536 bytes
First seen:	2021-03-20 08:24:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	df6ca6d094e1a020408b68d5b84f9473 (1 x CryptBot, 1 x FickerStealer)
ssdeep	12288:AKc8cONRPLO18opZkkEgWAgrcvu7jjVUjdxOs/3M3/iXETlIjlfRDamsc4W/wO:AT8TQ1jZkL19/jBUjdxhfk/nTlI0c4m
Threatray	70 similar samples on MalwareBazaar
TLSH	DFD4121136E2C873E6901AB6492AC7B9453BFC320F3546D73B902F689F392D18A79747
Reporter	abuse_ch
Tags:	CryptBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PlayerUI.exe

Verdict:

Malicious activity

Analysis date:

2021-03-19 20:20:52 UTC

Tags:

evasion trojan loader stealer autoit vidar

Link:

https://app.any.run/tasks/4cc44f67-1a32-4749-bb14-e0bf92e7f18e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CryptBot

Link:

https://www.capesandbox.com/analysis/125774/

Detection(s):

SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL

Win.Packed.Generic-9845877-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Deleting a recently created file

Creating a file

Delayed reading of the file

Reading critical registry keys

Creating a window

DNS request

Sending an HTTP POST request

Sending an HTTP GET request

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Launching a process

Launching cmd.exe command interpreter

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CryptBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3de7f9c7-c121-4145-b455-87c2a59be124

Result

Threat name:

Glupteba

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/646819

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Glupteba

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-03-19 18:27:31 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xtwqjihpsmdpqgv6txgsx5qtqaqhn4osaexshpgefiqivsv7exoq._file

Verdict:

malicious

Result

Malware family:

cryptbot

Score:

10/10

Tags:

family:cryptbot discovery spyware stealer

Link:

https://tria.ge/reports/210320-ayjqj6kkyn/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies registry class

Modifies system certificate store

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Executes dropped EXE

CryptBot

Unpacked files

SH256 hash:

60b684d6d6760653cf8ff6ca80f620e0b951b2cec9a864a3e1d54df2cc8ac2f3

MD5 hash:

f05aee16bb81952807c8fe99f0f2cd97

SHA1 hash:

300963f7d8bc05d6d8dd42a0a9ac7086be5af94a

Link:

https://www.unpac.me/results/5a98e4f9-3187-416a-8d33-2c87cb2603a6/

SH256 hash:

bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd

MD5 hash:

d606343bf5f7ba3eb27460606031c257

SHA1 hash:

bbde84b57981f17f221d47e3c00e54e14e4afcf8

Link:

https://www.unpac.me/results/5a98e4f9-3187-416a-8d33-2c87cb2603a6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_CryptBot Create hunting rule
Author:	ditekSHen
Description:	CryptBot/Fugrafa stealer payload

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com