MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CryptBot

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments 1

SHA256 hash:	dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0
SHA3-384 hash:	bd05c3aa1722574019c33d36df612e718e7f34c27ed3fdf51eae03b6278f5bfee0d77972b972cbdeb9f3a4685e4c75b6
SHA1 hash:	78a021534697109b76beaf3e2996efdf67fb99c7
MD5 hash:	09931c4d2470e624de0d11b1448f5d50
humanhash:	angel-friend-florida-oranges
File name:	09931c4d2470e624de0d11b1448f5d50
Download:	download sample
Signature	CryptBot Create hunting rule
File size:	292'352 bytes
First seen:	2021-12-15 11:23:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fdb1d18fcb1774aedc78ecdbb5413a24 (3 x RedLineStealer, 3 x Smoke Loader, 1 x CryptBot)
ssdeep	6144:lVH+JAXQaFYUxlfeAe+oxsPe7XEuOMha:TH+JAgaPGA0x+uR
Threatray	8'657 similar samples on MalwareBazaar
TLSH	T17454E001B9E2D532C5A2163144308AE45E7FB871993141DBB3A43BEFEFE36D19A25F12
File icon (PE):
dhash icon	b27e7c7d727e6e72 (1 x CryptBot, 1 x Stop)
Reporter	zbetcheckin
Tags:	32 CryptBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

09931c4d2470e624de0d11b1448f5d50

Verdict:

Malicious activity

Analysis date:

2021-12-15 11:29:37 UTC

Tags:

stealer trojan

Link:

https://app.any.run/tasks/96ba67b7-056f-4c7a-a224-b36d9f4e3333

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CryptBot

Link:

https://www.capesandbox.com/analysis/214322/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.26137.5522.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

DNS request

Sending an HTTP POST request

Reading critical registry keys

Sending an HTTP GET request

Creating a file

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Running batch commands

Creating a file in the Program Files subdirectories

Launching the default Windows debugger (dwwin.exe)

Launching a process

Searching for analyzing tools

Searching for the window

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2119/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61b9d05845ca64e57f115679/reports/3767362a-dfbd-4fc3-b848-8893cd76634a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CryptBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/93a8a2b5-b313-499d-a959-98d2822f7cc1

Result

Threat name:

Cryptbot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/907810

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Cryptbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-12-15 10:53:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3uugpq4xg5n27mtqnqjse2afukdxojozh5qzhc47scr2d5li63aa._file

Verdict:

malicious

CryptBot

879305570a2b3dbe710ddd09445db20a1159696a6c72a503135db8eaef5eecb7

CryptBot

ba9547aac21a5bf2e5220d529b5f79bcb1bf1066824ac8fc3d2074cec2944dbe

CryptBot

c386cf7d338f42a76cdc369c9d6d43f2ab6dca0853f80f0cee4770731ea18264

CryptBot

df7841fad13bb90a108a0861c92c565ad754528e684600ad07011cd4e83f1a63

CryptBot

e2ab039851029d1511405468f5cbc7c6bb046a7005c7503078ebab6ef3708ed7

CryptBot

ee53cf56f393658949e4756c48e63e0c02542c1403c87e72d926bfb6b0306809

CryptBot

+ 8'647 additional samples on MalwareBazaar

Result

Malware family:

danabot

Score:

10/10

Tags:

family:cryptbot family:danabot banker discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/211215-nhp8cshdd6/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

CryptBot

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

sezsmi32.top
morswd03.top
142.11.244.223:443
23.106.122.139:443

Unpacked files

SH256 hash:

2bb4a3a70b8b15d4a96a1d3489102551f599adfd0769d86288e252bd6ef03539

MD5 hash:

1a4e64bf44a29bae969df30e79f3f59c

SHA1 hash:

369a83190c1bacd0a45c9f52bf213d19c25198bf

Link:

https://www.unpac.me/results/cc2c8dc6-911a-42c9-bb46-9cf828d0538a/

SH256 hash:

dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0

MD5 hash:

09931c4d2470e624de0d11b1448f5d50

SHA1 hash:

78a021534697109b76beaf3e2996efdf67fb99c7

Link:

https://www.unpac.me/results/cc2c8dc6-911a-42c9-bb46-9cf828d0538a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers