MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb9aba41f979b8da5bd42d7e7d248daaa23014db0ad5593bbf4967327cd651ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb9aba41f979b8da5bd42d7e7d248daaa23014db0ad5593bbf4967327cd651ae
SHA3-384 hash: 95425438db8d76926bb32425232ef2ff0f8cd82d43d70daf3cb309fb149f83beeb14cafbf2d5dfd9ff7baf5b4ca611b0
SHA1 hash: f9de7f5ed02fc7e24b4411e31cdbfc17afd27af2
MD5 hash: c8aa942d50814189f92ca4a01620b4ed
humanhash: item-ohio-timing-winner
File name:c8aa942d50814189f92ca4a01620b4ed.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:239'104 bytes
First seen:2021-09-24 06:46:32 UTC
Last seen:2021-09-24 08:16:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fbfc74c3ddccb96d094c58debd98462 (10 x RedLineStealer, 2 x Tofsee, 2 x RaccoonStealer)
ssdeep 3072:t6nvzh7T3Oj1tXS80EBuxgztanuqgdbENxHBnmgQLgk52Bb7CRG8e:t6vzh7Tejf74uCqbWH4eB6R
Threatray 6'445 similar samples on MalwareBazaar
TLSH T17F34F12276F1D83AD6E74A369874C7646A3BF8222D7141CB3755935E5F33381CA26313
File icon (PE):PE icon
dhash icon 1072c293b0381906 (17 x RedLineStealer, 5 x Stop, 4 x DanaBot)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c8aa942d50814189f92ca4a01620b4ed.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 06:51:02 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/120f0c10-a5c2-45b7-9ed5-3c6f9848ec1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191061/
Detection(s):
SecuriteInfo.com.Trojan.Agent.FNIK.25475.27812.UNOFFICIAL
Create hunting rule

Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a973d2d8-d379-4464-a719-0650d13b2f9d
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/857106
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb9aba41f979b8da5bd42d7e7d248daaa23014db0ad5593bbf4967327cd651ae/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 19:44:28 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5onluqpzpg4nuw6ufv7h2jenvkrdafg3blkvso57jftte7gwkgxa._file
Verdict:
malicious
Similar samples:
0c6ecad78e1bc58b9a1ed69852ec543cd18ec3819121c0fdca6134267b42da8a
CryptBot
15ad913c094cd58fffa2067d86b75cf08fbcac95c16c2d68bab5b3498f059e31
CryptBot
20c3236616a266a4175355373d2d89742f9a4eae73f2c44b1a8e83a215fde9f1
CryptBot
2b6e1de5e6b89cac7c0fe12c764fc37bc18340303844b1bdf83cf01a71a4f61b
CryptBot
3ccbf80eab6488bad3d00b6d181967e692e045e818fb3ca79887f1a0f5d27677
CryptBot
4812efb0999ba68eaec97f7318e4d23bfbe3c46c11084dbf989a3623cb7285be
CryptBot
6563baa395257badd656572083aa05dc277e6516f079da5c0eddf0b6bbee4ffc
CryptBot
b88d53e26318ee2a958bf6d8c22513a4a7337e0dfcfa77cdbfb9e4ff2d219e43
CryptBot
edf429e26636ba7c240cc68f30a4a22360fc97156b8855c1cd7bde74c78082f2
CryptBot
fb044b65aca85f2778a512ef1a48d4d3d2807f0e6d3e82a038ca39f6e37b6197
CryptBot
+ 6'435 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210924-hj8hfagbe6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f6a5f69da80f2f3440d92ac43252ae1da64dc31ba6fa4cfd3828096b40f4e2ee
MD5 hash:
1ee266563a912c53ec1e783c72515eab
SHA1 hash:
a9276369a8f8e7ad680ced457ad2d122c7b43ce7
Link:
https://www.unpac.me/results/2161a492-09ef-44ab-8a60-6256addf06f5/
SH256 hash:
eb9aba41f979b8da5bd42d7e7d248daaa23014db0ad5593bbf4967327cd651ae
MD5 hash:
c8aa942d50814189f92ca4a01620b4ed
SHA1 hash:
f9de7f5ed02fc7e24b4411e31cdbfc17afd27af2
Link:
https://www.unpac.me/results/2161a492-09ef-44ab-8a60-6256addf06f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb9aba41f979b8da5bd42d7e7d248daaa23014db0ad5593bbf4967327cd651ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe eb9aba41f979b8da5bd42d7e7d248daaa23014db0ad5593bbf4967327cd651ae

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1640753/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191061/

Comments