MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c91e89e7dd72b337a6933cf71f0b9905d58460ca0f0c922f49ad86d3819af960. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c91e89e7dd72b337a6933cf71f0b9905d58460ca0f0c922f49ad86d3819af960
SHA3-384 hash: f8f0d221e98fa0fc7c0687224ddc84ec023a2b8e612938b936d5428d269055a95427c957ce555b4ce1babf4dc8fdd04a
SHA1 hash: b269de28e7f3fce738eb4c3285fc608eecd51ec5
MD5 hash: 12ab181fc8699748180da1ddf0e748f6
humanhash: montana-lamp-finch-diet
File name:SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488
Download: download sample
File size:9'163'776 bytes
First seen:2020-05-12 13:29:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5346271e19c97ff7635cfa504e8439ab (1 x CryptBot)
ssdeep 196608:ie4wsK7j7YtBv/HVy/ZToU3mJ+qk9cQP0ma+Two/xY:v4WvUtBYGkj9cO0L+MYC
Threatray 50 similar samples on MalwareBazaar
TLSH 229633E133D8CD77D193C1F40BBCB636E54573047A6BB0B8A29A66ED1A2D0949E05E0F
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45677.29740.5488.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Coins
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 00:04:46 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
08c31318d635778eaaf19c55440ed58570e764db28339f3061d927d9f3643ce3
1571b2ee13c7552f19b2fffc1c3f7dc63dffa8652d0cfa32136852629763018d
33ffacc3e517f4f1dad47f1ca28d26188e202d5e2e300e1e71bc0a57e682292a
433811102726bc15416ca338a2df55ec1daaf3f2565ee00d7f6484064746fb30
68e0c8bcb14bc94813d8c6494966d1f32b60ccca1fb9d80996707abeee3d2db5
84581968dd8c3480b3f0dcc2cd0cffa26542bb8cb79c8150f2be5ea5afd1b6b1
99b9b649c59745f1544c91ffe35dad1e1529c9cb6715325c95ee396bbe3db2ab
ad3c67acd7773a47ac0d46c544f1bcaa03ddbeb577b195e66fc4a15cd4413dab
d0198b775182eab3ed405bd0d946006ec8616b61083e643200d1d34fe8cae2f3
d6ba040d10d1fb8e0f6a8b1d5378be566f6d3816bf1a00fb3e0bb6eed29346b2
+ 40 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/201109-kzjd6lckl2/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c91e89e7dd72b337a6933cf71f0b9905d58460ca0f0c922f49ad86d3819af960

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/361529/
  
Delivery method
Distributed via web download

Comments