MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d082a1af4b67474b36c4abc0a5af1297a87a6aeb93eebd23085d5f2402b43f52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d082a1af4b67474b36c4abc0a5af1297a87a6aeb93eebd23085d5f2402b43f52
SHA3-384 hash: b2894b9e3aec710df5b844987b8fad417fbb9247ddff59aae7104a3870a7b8820a797cfb3b9836639816b2a6e03be845
SHA1 hash: 981216fcb48431a3e7e26711291bb8f2235b2211
MD5 hash: d6b881d9850c06b8a003079c7f6c0727
humanhash: london-black-pizza-william
File name:d6b881d9850c06b8a003079c7f6c0727
Download: download sample
File size:1'240'186 bytes
First seen:2021-06-28 06:27:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:ZF1ZUJ64YXVEKMND4ryfiz5mWeevLEQMQQ3AJhMMguHCDD3fsu2boJGEf/A:/1ZUJxaVEKYwGQoipyOhfguH6PcjUA
Threatray 341 similar samples on MalwareBazaar
TLSH C445336374D8CA36DF634B751C74481347ADFC8E4831B23B77446EEE3A700529A287AA
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cryptbot.bin
Verdict:
Malicious activity
Analysis date:
2021-06-27 18:00:29 UTC
Tags:
stealer trojan loader evasion danabot
Link:
https://app.any.run/tasks/aa22a783-670f-4d56-9921-38388339bcfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168530/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54f85946-037e-4d72-a781-a5b8c89388a9
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808685
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441096 Sample: 0TioK5B7wS Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 6 other signatures 2->62 10 0TioK5B7wS.exe 25 2->10         started        13 SmartClock.exe 2->13         started        15 SmartClock.exe 2->15         started        process3 file4 44 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 10->44 dropped 46 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 10->48 dropped 50 3 other files (none is malicious) 10->50 dropped 17 vpn.exe 7 10->17         started        19 4.exe 4 10->19         started        process5 file6 22 cmd.exe 1 17->22         started        42 C:\Users\user\AppData\...\SmartClock.exe, PE32 19->42 dropped 25 SmartClock.exe 19->25         started        process7 signatures8 64 Submitted sample is a known malware sample 22->64 66 Obfuscated command line found 22->66 68 Uses ping.exe to sleep 22->68 70 Uses ping.exe to check the status of other devices and networks 22->70 27 cmd.exe 3 22->27         started        30 conhost.exe 22->30         started        process9 signatures10 72 Obfuscated command line found 27->72 74 Uses ping.exe to sleep 27->74 32 PING.EXE 1 27->32         started        35 Amuleto.exe.com 27->35         started        37 findstr.exe 1 27->37         started        process11 dnsIp12 52 127.0.0.1 unknown unknown 32->52 39 Amuleto.exe.com 35->39         started        process13 dnsIp14 54 tHVTkijeiN.tHVTkijeiN 39->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d082a1af4b67474b36c4abc0a5af1297a87a6aeb93eebd23085d5f2402b43f52/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 21:13:07 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
16a9f456fe7c58b1f5b40f8bdda1f383e6cd9a633c2e44a386bee0a4b6c10d87
2dd214b7750c889a14bb6c1be4ff3b32e1bce2fba8d274de69b36b442486a1c6
34cfa360c2efd052e71a29f2091723206cf2a74dc87c64b1d617e822f69b7180
3f73237acdf89666712734296663edda4c5f7f7ca9271313e4dd94291dc5b531
88b4dc586771eaca754612a6b980f435506220cb1bf9ff7a4b6ac3bcbe08b0f8
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
b6f7d08666ed5c5309dbd3902783735ee77c1d8ab19e410af5c687488f21557e
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
+ 331 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210628-nlr9d7e5a6/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
9255ba32fe5046482d8b037c3e976ce391776eb00c51a5a22420402f4827ae56
MD5 hash:
3d91420b685ef4970cfe78443c14b0e9
SHA1 hash:
3806aaa6615482c7b2432d5ed20d766bf5bfe99b
Link:
https://www.unpac.me/results/251a117e-8c08-497a-b080-bb82220031c3/
SH256 hash:
953f244879c70e62f3f60c18911db22c106439cff61744c34bf1bd403dfff28d
MD5 hash:
2582ef5541f0df81c57954d013f3cb0f
SHA1 hash:
772075bf30cc98d7952906bd096b971d15376fae
Link:
https://www.unpac.me/results/251a117e-8c08-497a-b080-bb82220031c3/
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/251a117e-8c08-497a-b080-bb82220031c3/
SH256 hash:
d082a1af4b67474b36c4abc0a5af1297a87a6aeb93eebd23085d5f2402b43f52
MD5 hash:
d6b881d9850c06b8a003079c7f6c0727
SHA1 hash:
981216fcb48431a3e7e26711291bb8f2235b2211
Link:
https://www.unpac.me/results/251a117e-8c08-497a-b080-bb82220031c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d082a1af4b67474b36c4abc0a5af1297a87a6aeb93eebd23085d5f2402b43f52

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d082a1af4b67474b36c4abc0a5af1297a87a6aeb93eebd23085d5f2402b43f52

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1406395/
Cape
Cape
https://www.capesandbox.com/analysis/168530/

Comments