MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98
SHA3-384 hash: 887853a0fb7b56b87892f27d5f250be5fb329ba95d57fd0243c5596c872fcd92b3e8acd1169729cf38791861b5647835
SHA1 hash: 2f1f34b349f9ef2ba02ad38de2a2583c8c00816a
MD5 hash: 22c65e59340d1ca2840777fec61f6470
humanhash: india-utah-indigo-football
File name:22c65e59340d1ca2840777fec61f6470.exe
Download: download sample
Signature Cryptbot
Create hunting rule
File size:662'528 bytes
First seen:2021-07-12 08:36:49 UTC
Last seen:2021-07-12 09:59:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be7e53ef9cec957ab45539b64c6db1cc (1 x Cryptbot)
ssdeep 12288:xptxJdOeNEe/+8NNPVvvkZATHe1LuXU06YQVXEnhS7RlZS1s5u7/iDkjeYZ5j1:x7xueye/TNNFvS2+VEl6DUnhS3ZSAuzZ
Threatray 296 similar samples on MalwareBazaar
TLSH T10CE4025535B0C436D1B34671693983A02A3FF9A628B4C98777463BDF8E323D269B6313
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22c65e59340d1ca2840777fec61f6470.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 08:39:37 UTC
Tags:
stealer trojan
Link:
https://app.any.run/tasks/228a1cf1-67e9-4707-9e11-a4ca4a9bc791

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170983/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.33549.28417.11062.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2bee6d3-626d-43c5-aff4-f4ce6a20312f
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814701
Signature
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447110 Sample: MfFd4Fwl1B.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for dropped file 2->93 95 11 other signatures 2->95 12 MfFd4Fwl1B.exe 22 2->12         started        17 SmartClock.exe 2->17         started        19 SmartClock.exe 2->19         started        process3 dnsIp4 85 aledna72.top 143.244.186.174, 49731, 80 COGENT-174US United States 12->85 87 otivzt10.top 47.243.129.23, 49724, 49726, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->87 69 C:\Users\user\AppData\...\yJQZkDvBkkB.exe, PE32 12->69 dropped 71 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->71 dropped 113 Detected unpacking (changes PE section rights) 12->113 115 Detected unpacking (overwrites its own PE header) 12->115 117 Tries to harvest and steal ftp login credentials 12->117 119 2 other signatures 12->119 21 yJQZkDvBkkB.exe 25 12->21         started        file5 signatures6 process7 file8 59 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 21->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 21->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 21->63 dropped 65 3 other files (none is malicious) 21->65 dropped 101 Antivirus detection for dropped file 21->101 103 Multi AV Scanner detection for dropped file 21->103 105 Machine Learning detection for dropped file 21->105 25 vpn.exe 7 21->25         started        27 4.exe 4 21->27         started        signatures9 process10 file11 30 cmd.exe 1 25->30         started        67 C:\Users\user\AppData\...\SmartClock.exe, PE32 27->67 dropped 33 SmartClock.exe 27->33         started        process12 signatures13 121 Submitted sample is a known malware sample 30->121 123 Obfuscated command line found 30->123 125 Uses ping.exe to sleep 30->125 127 Uses ping.exe to check the status of other devices and networks 30->127 35 cmd.exe 3 30->35         started        38 conhost.exe 30->38         started        process14 signatures15 97 Obfuscated command line found 35->97 99 Uses ping.exe to sleep 35->99 40 Vigilanza.exe.com 35->40         started        43 PING.EXE 1 35->43         started        46 findstr.exe 1 35->46         started        process16 dnsIp17 111 May check the online IP address of the machine 40->111 49 Vigilanza.exe.com 3 18 40->49         started        81 127.0.0.1 unknown unknown 43->81 83 192.168.2.1 unknown unknown 43->83 73 C:\Users\user\AppData\...\Vigilanza.exe.com, Targa 46->73 dropped file18 signatures19 process20 dnsIp21 75 ip-api.com 208.95.112.1, 49756, 80 TUT-ASUS United States 49->75 77 HuzkESWqLFmEcD.HuzkESWqLFmEcD 49->77 57 C:\Users\user\AppData\...\spixsmopkvhm.vbs, ASCII 49->57 dropped 53 wscript.exe 12 49->53         started        file22 process23 dnsIp24 79 iplogger.org 88.99.66.31, 443, 49757 HETZNER-ASDE Germany 53->79 107 System process connects to network (likely due to code injection or exploit) 53->107 109 May check the online IP address of the machine 53->109 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-07-11 19:19:49 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yehzoqzc6i5jhqbvji7vofi3galweayt6vtygeg3e7ifxyilj2ma._file
Verdict:
malicious
Similar samples:
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
Cryptbot
4b21de4f5c03de8e7e85bbdc317bd1050ba7bce099c1ba1cafb949ccadff90a2
Cryptbot
5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb66635db25adaf05b9c09
Cryptbot
6f8ce60168331070f8ca906c9c5e4d53e22b9b72a57c6e0c65bf6f83979d310f
Cryptbot
7c3ec59724f79c69f7bb889f8dac9e89a45ad3629a25c954c26905b5b953e3f5
Cryptbot
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
Cryptbot
d2b955fca821c2d34342ca8bc610bda82a15676a0b44f5de15c78ee6b7de7e6b
Cryptbot
e2627edaef3e465cadfb84b250bc0d47cef26af5d2334e5f49ab38d8f919b511
Cryptbot
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
Cryptbot
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
Cryptbot
+ 286 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210712-j9v9xcerys/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
d668ec44955cbd88a44f30b83d6d27cae2ddeaec663e6b6b8f6fc86f4a90a2b9
MD5 hash:
99900a7bc5cfaaa6fcf3cbac137001f5
SHA1 hash:
52ae0cd838a70e56108784c04c92894f55a92c2b
Detections:
win_blacksoul_auto
Create hunting rule
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/154d18db-4133-48e6-93b9-842d19a38743/
Parent samples :
c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98
1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940
SH256 hash:
c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98
MD5 hash:
22c65e59340d1ca2840777fec61f6470
SHA1 hash:
2f1f34b349f9ef2ba02ad38de2a2583c8c00816a
Link:
https://www.unpac.me/results/154d18db-4133-48e6-93b9-842d19a38743/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cryptbot

Executable exe c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1441648/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170983/

Comments