MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
SHA3-384 hash: 232a6e9786f9f67cb2e61d287b1bb3b23941a9e5017f637033116e63f29f81ff45e36b8d53893848eebb2535e3ff9b16
SHA1 hash: 8690249cb2040c7d32e09d8b84c888f0fd0c736f
MD5 hash: 603afc39509ea12acf6ef69b94af3fad
humanhash: uranus-william-five-alaska
File name:603afc39509ea12acf6ef69b94af3fad.exe
Download: download sample
File size:1'198'682 bytes
First seen:2021-03-16 19:31:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:a53uhFQfcc0Hsmj2yrU1CcpltZN2P8RUX9FqevjsnKzRz:a5+hFOccWyyrqC8ZNxajJzRz
Threatray 56 similar samples on MalwareBazaar
TLSH AC452321B5DAA1FAD5B236704909BB2668F2F3301B1D41C3B7510613AE7EEE4D77D08A
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
603afc39509ea12acf6ef69b94af3fad.exe
Verdict:
Malicious activity
Analysis date:
2021-03-16 19:34:39 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/94b52bce-6230-44a9-b93f-ad97c264cedf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124430/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Sending a UDP request
Creating a process from a recently created file
Deleting a recently created file
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c419c803-f4c0-4405-bf7a-d05e009f1c7b
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/641366
Signature
Contains functionality to register a low level keyboard hook
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 369654 Sample: nt18gUFXxy.exe Startdate: 16/03/2021 Architecture: WINDOWS Score: 72 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Cryptbot 2->42 9 nt18gUFXxy.exe 8 2->9         started        process3 signatures4 48 Contains functionality to register a low level keyboard hook 9->48 12 cmd.exe 1 9->12         started        15 cmd.exe 1 9->15         started        process5 signatures6 50 Submitted sample is a known malware sample 12->50 52 Obfuscated command line found 12->52 54 Uses ping.exe to sleep 12->54 56 Uses ping.exe to check the status of other devices and networks 12->56 17 conhost.exe 12->17         started        19 cmd.exe 3 15->19         started        22 conhost.exe 15->22         started        process7 signatures8 44 Obfuscated command line found 19->44 46 Uses ping.exe to sleep 19->46 24 PING.EXE 1 19->24         started        27 Volevo.exe.com 19->27         started        29 findstr.exe 1 19->29         started        process9 dnsIp10 34 127.0.0.1 unknown unknown 24->34 31 Volevo.exe.com 3 27->31         started        process11 dnsIp12 36 192.168.2.1 unknown unknown 31->36 38 NWIjtSVRUQVqLfTXzofok.NWIjtSVRUQVqLfTXzofok 31->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1/
Threat name:
Win32.PUA.7zip
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 05:49:50 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  1/5
Verdict:
suspicious
Similar samples:
00dfe1c0275613464fac102cd1d1bf35983038db80455b92be2630fbe9cf040b
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
8f7f128c12e1966daae887b04edd6c8bed3b178cc2f6d83e5970249463cb5bb4
9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
f26b948f55870e1e1c049325fa71e957cd87b85f53972f2c2cc258e9b0029a74
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210316-psn431m6se/
Behaviour
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
8419d335d27fc143453883a81f097564bde0c88d1be20ab0dc043bc3e444bf5e
MD5 hash:
dd3fd5ac5d0da7050976fcb778a58ea5
SHA1 hash:
22fca44fc2e3b123c6c651301fb4a3ba6e16a2b7
Link:
https://www.unpac.me/results/d686cee7-1ddf-4ad0-997b-237e97bae93f/
SH256 hash:
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
MD5 hash:
603afc39509ea12acf6ef69b94af3fad
SHA1 hash:
8690249cb2040c7d32e09d8b84c888f0fd0c736f
Link:
https://www.unpac.me/results/d686cee7-1ddf-4ad0-997b-237e97bae93f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1070988/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124430/

Comments