MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e548eec04561ac1796f5139c6ea32704675cde8391ce3a737da5d3263c36f238. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e548eec04561ac1796f5139c6ea32704675cde8391ce3a737da5d3263c36f238
SHA3-384 hash: b4fed24942d4306d76c13b91e06336db9e1a27009f011ea6dddcbb12504de6ddd8e28f5d8f5713c884a8d1ba8940fa26
SHA1 hash: a7d6a410afab5a9e2883cee0b3035ce4b6a5e8d3
MD5 hash: 885b83cd8ad53622c5c86a2b9a3012ba
humanhash: burger-alanine-kentucky-victor
File name:885b83cd8ad53622c5c86a2b9a3012ba.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:331'776 bytes
First seen:2021-09-18 16:45:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f046730f187f46a60a21ce3e4d696896 (1 x RedLineStealer, 1 x CryptBot)
ssdeep 6144:q+ZQlRoL+tTd68eCqXb4gb6QQNEKk99cdD8nYmsaiJsytjM:fZstTd68eR4gxQNEKk99cdDONZiJsQM
Threatray 433 similar samples on MalwareBazaar
TLSH T1F364CF20B6A0C035F4F712F959BA93A8A43D7A715B3454CF62DA16EE23387E49C30397
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cracknet.net
Verdict:
Malicious activity
Analysis date:
2021-09-18 13:42:20 UTC
Tags:
evasion trojan rat azorult stealer fareit pony redline raccoon loader opendir vidar
Link:
https://app.any.run/tasks/f78f30fa-6ce0-4e48-9c08-eebf630b890f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188952/
Detection(s):
SecuriteInfo.com.Ransom.Stop.Z5.17917.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Launching the default Windows debugger (dwwin.exe)
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d418b26-b078-4cef-9ae1-f7fd586078d2
Result
Threat name:
Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853258
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Submitted sample is a known malware sample
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485686 Sample: zsY42X1GXV.exe Startdate: 18/09/2021 Architecture: WINDOWS Score: 100 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 7 other signatures 2->88 11 zsY42X1GXV.exe 48 2->11         started        16 IntelRapid.exe 2->16         started        18 IntelRapid.exe 2->18         started        process3 dnsIp4 74 duotul62.top 45.144.64.35, 49744, 80 SUPERSERVERSDATACENTERRU Russian Federation 11->74 76 cazars09.top 95.181.178.224, 49768, 49769, 80 NEOHOST-ASUA Russian Federation 11->76 78 moraub06.top 5.101.44.203, 49757, 80 LLHOSTM247EU Russian Federation 11->78 68 C:\Users\user\AppData\Local\Temp\File.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 11->70 dropped 118 Detected unpacking (overwrites its own PE header) 11->118 120 Self deletion via cmd delete 11->120 122 Tries to harvest and steal browser information (history, passwords, etc) 11->122 20 File.exe 25 11->20         started        24 cmd.exe 1 11->24         started        124 Query firmware table information (likely to detect VMs) 16->124 126 Hides threads from debuggers 16->126 128 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->128 file5 signatures6 process7 file8 56 C:\Users\user\AppData\Local\...\vidduivp.exe, PE32 20->56 dropped 58 C:\Users\user\AppData\Local\...\feared.exe, PE32+ 20->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 20->60 dropped 62 3 other files (none is malicious) 20->62 dropped 96 Antivirus detection for dropped file 20->96 98 Multi AV Scanner detection for dropped file 20->98 26 feared.exe 4 20->26         started        30 vidduivp.exe 19 20->30         started        100 Submitted sample is a known malware sample 24->100 102 Obfuscated command line found 24->102 104 Uses ping.exe to check the status of other devices and networks 24->104 32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started        signatures9 process10 file11 64 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 26->64 dropped 108 Multi AV Scanner detection for dropped file 26->108 110 Query firmware table information (likely to detect VMs) 26->110 112 Hides threads from debuggers 26->112 114 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->114 36 IntelRapid.exe 26->36         started        66 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 30->66 dropped 116 Machine Learning detection for dropped file 30->116 39 cmd.exe 1 30->39         started        signatures12 process13 signatures14 90 Query firmware table information (likely to detect VMs) 36->90 92 Hides threads from debuggers 36->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 36->94 41 cmd.exe 3 39->41         started        44 conhost.exe 39->44         started        process15 signatures16 106 Obfuscated command line found 41->106 46 PING.EXE 1 41->46         started        49 Hai.exe.com 41->49         started        51 findstr.exe 1 41->51         started        process17 dnsIp18 80 127.0.0.1 unknown unknown 46->80 53 Hai.exe.com 49->53         started        process19 dnsIp20 72 TyNEAAOqElOMWAdYPaps.TyNEAAOqElOMWAdYPaps 53->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e548eec04561ac1796f5139c6ea32704675cde8391ce3a737da5d3263c36f238/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 16:46:10 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15ad913c094cd58fffa2067d86b75cf08fbcac95c16c2d68bab5b3498f059e31
CryptBot
4812efb0999ba68eaec97f7318e4d23bfbe3c46c11084dbf989a3623cb7285be
CryptBot
49113451c4baac2ee6b97486bd1f57dcf68891d55ff4782daa4d578e23e78d7c
CryptBot
6afa5829ac5dfbb7098a32cef1dca23e5bbdf9a1bc0805670451eeed534c5636
CryptBot
6ebf8ce8d1c0147cbd6cff787cb552c3ddf2478123067fb5c699d82da5590811
CryptBot
71536640ec28b6c7f0e1d84b33099a780ccefa60f66a7fbf5c5794a676e36f47
CryptBot
97ba799812a017db5224343b4d2fd5a3b6564158fac6e30f8c4c906013e487e0
CryptBot
9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3
CryptBot
aa88fc6977bf02c959ffa6865b99eeee8c1735001f824d1bbcc4ff01d93fbb74
CryptBot
+ 423 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
ede6f3702c323e5eff2b33e02470db080033df7a39e9893a32923e7e2d38ce09
MD5 hash:
a77c6502e4a5791d0d3270b21cb44fa3
SHA1 hash:
54db7954ddc40ed5c9967c111006405e292f7174
Link:
https://www.unpac.me/results/dbb4ed0e-1c35-487b-a9b5-c5ee47d1c872/
SH256 hash:
e548eec04561ac1796f5139c6ea32704675cde8391ce3a737da5d3263c36f238
MD5 hash:
885b83cd8ad53622c5c86a2b9a3012ba
SHA1 hash:
a7d6a410afab5a9e2883cee0b3035ce4b6a5e8d3
Link:
https://www.unpac.me/results/dbb4ed0e-1c35-487b-a9b5-c5ee47d1c872/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e548eec04561ac1796f5139c6ea32704675cde8391ce3a737da5d3263c36f238

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe e548eec04561ac1796f5139c6ea32704675cde8391ce3a737da5d3263c36f238

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1629696/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/188952/

Comments