MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edf429e26636ba7c240cc68f30a4a22360fc97156b8855c1cd7bde74c78082f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edf429e26636ba7c240cc68f30a4a22360fc97156b8855c1cd7bde74c78082f2
SHA3-384 hash: 15662f4996d717fdea1a06570c390df13c6967d0e09f4527f67b50dab621ba752c2cb5239e280d52240dda6052915e7b
SHA1 hash: 5a4b3cbc623065487f9c593729df6bea7873cf5a
MD5 hash: 076810b909fadd7de64a172e5f5ca349
humanhash: fillet-lactose-jersey-comet
File name:076810b909fadd7de64a172e5f5ca349.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:330'240 bytes
First seen:2021-09-19 06:26:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1bd6d269463cc591268b8d14694f5ae5 (11 x RaccoonStealer, 3 x ArkeiStealer, 2 x RedLineStealer)
ssdeep 6144:9TZQsCR1RkrzX9L6K3DrpI22NitVTjMUhXeisWEhu32chY:9Z8mrzX9L1rpI2njMUhXeisX8o
Threatray 436 similar samples on MalwareBazaar
TLSH T10464CF20BA90C035F4B712F959BA93A9B93C7AB05B3450CB52E626FA17387E4DD30747
File icon (PE):PE icon
dhash icon ead8ac9cc6e69ee0 (1 x Stop, 1 x CryptBot)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
076810b909fadd7de64a172e5f5ca349.exe
Verdict:
Malicious activity
Analysis date:
2021-09-19 06:28:41 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/19c734d0-f5b0-493e-8f41-4c821fa46d06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189029/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.22696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Launching the default Windows debugger (dwwin.exe)
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4823491-695b-4cf1-931b-f8367dbe4b6e
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853433
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Submitted sample is a known malware sample
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485864 Sample: xJZ4uTSPYK.exe Startdate: 19/09/2021 Architecture: WINDOWS Score: 100 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 7 other signatures 2->88 11 xJZ4uTSPYK.exe 46 2->11         started        16 IntelRapid.exe 2->16         started        18 IntelRapid.exe 2->18         started        process3 dnsIp4 74 moraub06.top 89.41.182.69, 49739, 80 TENNETRO Romania 11->74 76 duotul62.top 195.133.145.24, 49738, 80 MTW-ASRU Russian Federation 11->76 78 cazars09.top 176.118.164.156, 49740, 49741, 80 DIGITALENERGY-ASRU Russian Federation 11->78 68 C:\Users\user\AppData\Local\Temp\File.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 11->70 dropped 116 Detected unpacking (overwrites its own PE header) 11->116 118 Self deletion via cmd delete 11->118 120 Tries to harvest and steal browser information (history, passwords, etc) 11->120 20 File.exe 25 11->20         started        24 cmd.exe 1 11->24         started        122 Query firmware table information (likely to detect VMs) 16->122 124 Hides threads from debuggers 16->124 126 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->126 file5 signatures6 process7 file8 56 C:\Users\user\AppData\Local\...\vidduivp.exe, PE32 20->56 dropped 58 C:\Users\user\AppData\Local\...\feared.exe, PE32+ 20->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 20->60 dropped 62 3 other files (none is malicious) 20->62 dropped 96 Antivirus detection for dropped file 20->96 98 Multi AV Scanner detection for dropped file 20->98 26 feared.exe 4 20->26         started        30 vidduivp.exe 19 20->30         started        100 Submitted sample is a known malware sample 24->100 102 Obfuscated command line found 24->102 104 Uses ping.exe to check the status of other devices and networks 24->104 32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started        signatures9 process10 file11 64 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 26->64 dropped 108 Multi AV Scanner detection for dropped file 26->108 110 Query firmware table information (likely to detect VMs) 26->110 112 Machine Learning detection for dropped file 26->112 114 2 other signatures 26->114 36 IntelRapid.exe 26->36         started        66 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 30->66 dropped 39 cmd.exe 1 30->39         started        signatures12 process13 signatures14 90 Query firmware table information (likely to detect VMs) 36->90 92 Hides threads from debuggers 36->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 36->94 41 cmd.exe 3 39->41         started        44 conhost.exe 39->44         started        process15 signatures16 106 Obfuscated command line found 41->106 46 PING.EXE 1 41->46         started        49 Hai.exe.com 41->49         started        51 findstr.exe 1 41->51         started        process17 dnsIp18 80 127.0.0.1 unknown unknown 46->80 53 Hai.exe.com 49->53         started        process19 dnsIp20 72 TyNEAAOqElOMWAdYPaps.TyNEAAOqElOMWAdYPaps 53->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edf429e26636ba7c240cc68f30a4a22360fc97156b8855c1cd7bde74c78082f2/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 02:51:11 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5x2ctytgg25hyjamy2htbjfcenqpzfyvnoeflqonppphjr4aqlza._file
Verdict:
malicious
Similar samples:
15ad913c094cd58fffa2067d86b75cf08fbcac95c16c2d68bab5b3498f059e31
CryptBot
4812efb0999ba68eaec97f7318e4d23bfbe3c46c11084dbf989a3623cb7285be
CryptBot
49113451c4baac2ee6b97486bd1f57dcf68891d55ff4782daa4d578e23e78d7c
CryptBot
6afa5829ac5dfbb7098a32cef1dca23e5bbdf9a1bc0805670451eeed534c5636
CryptBot
6ebf8ce8d1c0147cbd6cff787cb552c3ddf2478123067fb5c699d82da5590811
CryptBot
71536640ec28b6c7f0e1d84b33099a780ccefa60f66a7fbf5c5794a676e36f47
CryptBot
97ba799812a017db5224343b4d2fd5a3b6564158fac6e30f8c4c906013e487e0
CryptBot
aa88fc6977bf02c959ffa6865b99eeee8c1735001f824d1bbcc4ff01d93fbb74
CryptBot
e548eec04561ac1796f5139c6ea32704675cde8391ce3a737da5d3263c36f238
CryptBot
+ 426 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/210919-g6944sbgb8/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
5374a879e3c960acc4640a5122fc6d01fecae0f111be543d5f272be565e76ff9
MD5 hash:
7fa58aad98bec1e0a596c79818fb1f45
SHA1 hash:
8f904266e5c3a79c6948600815d6f629a4dbcff1
Link:
https://www.unpac.me/results/5567b532-6345-4530-b562-e634bea0b2c2/
SH256 hash:
edf429e26636ba7c240cc68f30a4a22360fc97156b8855c1cd7bde74c78082f2
MD5 hash:
076810b909fadd7de64a172e5f5ca349
SHA1 hash:
5a4b3cbc623065487f9c593729df6bea7873cf5a
Link:
https://www.unpac.me/results/5567b532-6345-4530-b562-e634bea0b2c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edf429e26636ba7c240cc68f30a4a22360fc97156b8855c1cd7bde74c78082f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe edf429e26636ba7c240cc68f30a4a22360fc97156b8855c1cd7bde74c78082f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1629696/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189029/

Comments