MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bceed9a182b9324426c40327f10948d0ebdef8c9d4559e476e4f14b9d11a7ea3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bceed9a182b9324426c40327f10948d0ebdef8c9d4559e476e4f14b9d11a7ea3
SHA3-384 hash: 3472bcdad4ee011c3538fbcc7423173a816d399e8c1c03c5c12c0cd8204f6f0fddb6e983cd25f9041fec9b2d743f7b01
SHA1 hash: 3cddf9c1f3d25faaea4a82b584da2272c50beb3b
MD5 hash: ada1ffc753347613cee9bcddac9763a1
humanhash: island-oranges-helium-nevada
File name:BCEED9A182B9324426C40327F10948D0EBDEF8C9D4559.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:4'290'377 bytes
First seen:2021-07-10 10:10:35 UTC
Last seen:2021-07-10 10:35:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:jjfUfQBciVvvawqXwIpa41MtHCgPpUJtQgAAV+xh6+6E:jrUYiDwLIYHtUJtQgyx3X
TLSH T1371633465BC2D432D7A0F6F728713457286671620F69A1396067BE2F39F1B83FAB0C19
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://urep03.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://urep03.top/index.php https://threatfox.abuse.ch/ioc/159594/

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BCEED9A182B9324426C40327F10948D0EBDEF8C9D4559.exe
Verdict:
No threats detected
Analysis date:
2021-07-10 10:12:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1fd2e01d-ed1a-42cd-84be-a9023f0b1632

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170796/
Detection(s):
ditekSHen.MALWARE.Win.Trojan.CryptBot.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a89a984-905d-4ad0-9602-c421d588b1ab
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814309
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is protected by VMProtect
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Autohotkey Downloader Generic
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446720 Sample: BCEED9A182B9324426C40327F10... Startdate: 10/07/2021 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for dropped file 2->68 70 13 other signatures 2->70 8 BCEED9A182B9324426C40327F10948D0EBDEF8C9D4559.exe 20 2->8         started        process3 file4 36 C:\Program Files (x86)\Cartol\...\mertol.exe, PE32 8->36 dropped 38 C:\Program Files (x86)\Cartol\vyr\...\10.exe, PE32 8->38 dropped 40 C:\Program Files (x86)\Cartol\vyr\...\010.exe, PE32 8->40 dropped 42 2 other files (none is malicious) 8->42 dropped 11 010.exe 36 8->11         started        16 mertol.exe 38 8->16         started        18 10.exe 8->18         started        20 cscript.exe 13 8->20         started        process5 dnsIp6 56 saytt03.top 58.64.137.69, 49740, 80 NWT-AS-APASnumberforNewWorldTelephoneLtdHK Hong Kong 11->56 44 C:\Users\user\AppData\Local\...\Web Dataf, SQLite 11->44 dropped 46 C:\Users\user\AppData\Local\...\Login Dataf, SQLite 11->46 dropped 48 C:\Users\user\AppData\Local\...\Cookiesf, SQLite 11->48 dropped 72 Tries to harvest and steal browser information (history, passwords, etc) 11->72 22 cmd.exe 11->22         started        58 ip-api.com 208.95.112.1, 49726, 80 TUT-ASUS United States 16->58 60 urep03.top 99.83.154.118, 49736, 80 AMAZON-02US United States 16->60 50 C:\Users\user\AppData\Local\...\Web Datam, SQLite 16->50 dropped 52 C:\Users\user\AppData\Local\...\Login Datam, SQLite 16->52 dropped 54 C:\Users\user\AppData\Local\...\Cookiesm, SQLite 16->54 dropped 24 cmd.exe 1 16->24         started        74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->74 76 Sample or dropped binary is a compiled AutoHotkey binary 18->76 62 iplogger.org 88.99.66.31, 443, 49728 HETZNER-ASDE Germany 20->62 78 May check the online IP address of the machine 20->78 26 conhost.exe 20->26         started        file7 signatures8 process9 process10 28 conhost.exe 22->28         started        30 timeout.exe 22->30         started        32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bceed9a182b9324426c40327f10948d0ebdef8c9d4559e476e4f14b9d11a7ea3/
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 20:13:33 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtxntimcxezeijweamt7ccki2dv556gj2rkz4r3oj4kltui2p2rq._file
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer vmprotect
Link:
https://tria.ge/reports/210710-q9svswefya/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
74bc2492fac98410adbf953a04dc166a6b6f239356dcfa7e9de9d2f1bd697ff5
MD5 hash:
94a0f9bcf7cb5b3acc99735429a7b24a
SHA1 hash:
c85e95451459ece3734bfc433c4b8d9b710ea854
Link:
https://www.unpac.me/results/8f23126d-65ed-4b6f-970c-618df51bde2e/
SH256 hash:
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
MD5 hash:
132e6153717a7f9710dcea4536f364cd
SHA1 hash:
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
Link:
https://www.unpac.me/results/8f23126d-65ed-4b6f-970c-618df51bde2e/
SH256 hash:
fc54f9c12b2a75a359d18c4259375ea5ddeff1af6996a8c786ddf16f7f1e4401
MD5 hash:
11ddae7e3937e23ed6cbb7c54d997e61
SHA1 hash:
4593d0e4d599259e47d27a21fda198cc80235fb6
Link:
https://www.unpac.me/results/8f23126d-65ed-4b6f-970c-618df51bde2e/
SH256 hash:
427a1150962518c43f2fcd3e39142a438973b3fb082a5892ec3019cc8f7d4d82
MD5 hash:
ce720b915d12ed8831109aaa7846e416
SHA1 hash:
d6687a1ab530baa8c51cda487c8aab4791096482
Link:
https://www.unpac.me/results/8f23126d-65ed-4b6f-970c-618df51bde2e/
SH256 hash:
09c6971aa3942b0acd74d24c908dc5cb7f1d4252daea91d623b6ce7028a356d8
MD5 hash:
42a2a212915c9c829ce8088668c82736
SHA1 hash:
a46e54441c147207312afdde5fbbaecf71de89df
Link:
https://www.unpac.me/results/8f23126d-65ed-4b6f-970c-618df51bde2e/
SH256 hash:
2bb88a52347db1353c90222e74d46d671f3adc3a92c23bce44c2fb7e6e999c88
MD5 hash:
64f403f8b5f92fb16a38aab5b6967c29
SHA1 hash:
0ddce07ad797f0c331e571f883710af96d4e0f89
Link:
https://www.unpac.me/results/8f23126d-65ed-4b6f-970c-618df51bde2e/
SH256 hash:
bceed9a182b9324426c40327f10948d0ebdef8c9d4559e476e4f14b9d11a7ea3
MD5 hash:
ada1ffc753347613cee9bcddac9763a1
SHA1 hash:
3cddf9c1f3d25faaea4a82b584da2272c50beb3b
Link:
https://www.unpac.me/results/8f23126d-65ed-4b6f-970c-618df51bde2e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bceed9a182b9324426c40327f10948d0ebdef8c9d4559e476e4f14b9d11a7ea3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:VMProtectStub
Create hunting rule
Author:@bartblaze
Description:Identifies VMProtect packer stub.
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170796/

Comments