MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb
SHA3-384 hash: a7323d85bda748253676f3c334100e476a1511fc92dba33e658dc69ec85242cabbb70c5fd0423b98498e2cb2503b4b1b
SHA1 hash: effc1ac7b7f0a000dfecc7fd0ede33acb8beb7f6
MD5 hash: 7afe4acc20170439d8b180ae4b84715d
humanhash: butter-music-jupiter-robert
File name:7afe4acc20170439d8b180ae4b84715d.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:736'256 bytes
First seen:2021-04-09 20:14:03 UTC
Last seen:2021-04-09 20:49:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5c9f82cdabd8e2926163412888fe3f28 (2 x RaccoonStealer, 1 x CryptBot)
ssdeep 12288:UtBtCIEAxLW+VFgN585wt4hWEdI7NGkVb600p5+uFZHXHO/uJROiBl7loHn:UnPXL/CoCteWEdSQkVbgrPHsurhBl7lk
Threatray 78 similar samples on MalwareBazaar
TLSH FCF4F10173E0C1B3D063247A8524D7B25E7BB4725B75A9CBBBC50BB80F6A6D1AB35306
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb
Verdict:
Malicious activity
Analysis date:
2021-04-09 07:02:31 UTC
Tags:
trojan stealer loader autoit evasion
Link:
https://app.any.run/tasks/a1cacf37-6161-4f35-8abc-3fc3f21a681d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133448/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46054597.14464.31731.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Delayed reading of the file
Reading critical registry keys
Stealing user critical data
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/671778
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384834 Sample: tDDFLIR3f6.exe Startdate: 09/04/2021 Architecture: WINDOWS Score: 100 73 iplogger.org 2->73 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 9 other signatures 2->93 12 tDDFLIR3f6.exe 50 2->12         started        17 SmartClock.exe 2->17         started        19 SmartClock.exe 2->19         started        signatures3 process4 dnsIp5 81 dyosa52.top 34.118.72.185, 49723, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->81 83 esimu07.top 34.65.214.4, 49725, 49726, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->83 85 marlqj05.top 8.209.68.164, 49724, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 12->85 67 C:\Users\user\AppData\Local\...\Briskal.exe, PE32 12->67 dropped 69 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->69 dropped 111 Detected unpacking (changes PE section rights) 12->111 113 Detected unpacking (overwrites its own PE header) 12->113 115 Tries to harvest and steal browser information (history, passwords, etc) 12->115 21 Briskal.exe 19 12->21         started        25 cmd.exe 1 12->25         started        file6 signatures7 process8 file9 59 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 21->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 21->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 21->63 dropped 95 Multi AV Scanner detection for dropped file 21->95 97 Machine Learning detection for dropped file 21->97 27 vpn.exe 7 21->27         started        29 4.exe 4 21->29         started        99 Submitted sample is a known malware sample 25->99 101 Obfuscated command line found 25->101 103 Uses ping.exe to sleep 25->103 105 Uses ping.exe to check the status of other devices and networks 25->105 32 conhost.exe 25->32         started        34 timeout.exe 1 25->34         started        signatures10 process11 file12 36 cmd.exe 1 27->36         started        38 dllhost.exe 27->38         started        71 C:\Users\user\AppData\...\SmartClock.exe, PE32 29->71 dropped 40 SmartClock.exe 29->40         started        process13 process14 42 cmd.exe 3 36->42         started        45 conhost.exe 36->45         started        signatures15 107 Obfuscated command line found 42->107 109 Uses ping.exe to sleep 42->109 47 Calore.exe.com 42->47         started        50 PING.EXE 42->50         started        53 findstr.exe 1 42->53         started        process16 dnsIp17 117 May check the online IP address of the machine 47->117 56 Calore.exe.com 47->56         started        75 127.0.0.1 unknown unknown 50->75 65 C:\Users\user\AppData\...\Calore.exe.com, Targa 53->65 dropped file18 signatures19 process20 dnsIp21 77 rhRDHAYtAoQHDCIZfrnmk.rhRDHAYtAoQHDCIZfrnmk 56->77 79 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 56->79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-04-09 15:38:30 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yp6udwrjrnsx6nqilwbiaevjjsmxsqalou6afdvsnufg7nilaw5q._file
Verdict:
suspicious
Similar samples:
0bdb7a98c650426ff70b666a8a1f28b421a6135e729a70baf87a5c126fbd788a
CryptBot
10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a
CryptBot
26e294b557033c04b7a9039b6e2ef1ec35f8c3ec1a06be3d7b73ddd3ff10395c
CryptBot
39a27d15f3d6175331a974825a440d7475187bae0c133a48a1a5155b49a82537
CryptBot
743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854
CryptBot
76386b4c6c46b36b26d9ce00df7982d461bcd1a7586dde62cd831349d0aa3a4b
CryptBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
CryptBot
97d497e3e5e60db871dfde169070847b7067fcd409f9dbed19584c3b64ac9ac9
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
CryptBot
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210409-vpzwhm47ls/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
374da4144932ac93a3cb1fbb8af66bf488cc3f4e75971a93743b804622683e65
MD5 hash:
4fd1fe813588e17123c263698c2ee5b6
SHA1 hash:
7836cf4f668fbfbae6968ffd2373cca3aa2fca45
Link:
https://www.unpac.me/results/6d10b676-0b07-4f70-9fc9-4a2d8f4da441/
SH256 hash:
c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb
MD5 hash:
7afe4acc20170439d8b180ae4b84715d
SHA1 hash:
effc1ac7b7f0a000dfecc7fd0ede33acb8beb7f6
Link:
https://www.unpac.me/results/6d10b676-0b07-4f70-9fc9-4a2d8f4da441/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/133448/
  
URLhaus
https://urlhaus.abuse.ch/url/1104406/
  
Delivery method
Distributed via web download

Comments