MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CryptBot

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments 1

SHA256 hash:	f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138
SHA3-384 hash:	45485753c1125dea6b9b01d0a037690a8272a8bdfdfb52dee722cadcf604649ac657a195abc092b8054a2468a5711b1f
SHA1 hash:	c548ed16302741a2d626e51823924d7fe7ea1578
MD5 hash:	590d0d9111ed9bc27b57fbee2298e9eb
humanhash:	robert-venus-texas-yellow
File name:	590d0d9111ed9bc27b57fbee2298e9eb
Download:	download sample
Signature	CryptBot Create hunting rule
File size:	291'840 bytes
First seen:	2021-12-15 12:43:02 UTC
Last seen:	2021-12-15 14:48:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	86448523176a55715540b63ea9446eba (1 x CryptBot, 1 x RedLineStealer)
ssdeep	6144:oJMJ57qo+eFy/qIFSrKSuz//3KA0E1cVAXkueq:oGJ5/+2y/wmSuDKiqXw
Threatray	2'642 similar samples on MalwareBazaar
TLSH	T12154F1317AA2E871C99259354830DB981E7BB8339931D00B77942BAFAFF33C15636356
File icon (PE):
dhash icon	327a7c7d767c6e62 (1 x CryptBot)
Reporter	zbetcheckin
Tags:	32 CryptBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

590d0d9111ed9bc27b57fbee2298e9eb

Verdict:

Malicious activity

Analysis date:

2021-12-15 12:46:08 UTC

Tags:

stealer trojan loader

Link:

https://app.any.run/tasks/e58962f0-d150-4d49-b1cf-6411e408adf6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CryptBot

Link:

https://www.capesandbox.com/analysis/214340/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.17845.12150.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

DNS request

Sending an HTTP POST request

Reading critical registry keys

Sending an HTTP GET request

Creating a file

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Running batch commands

Creating a file in the Program Files subdirectories

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for analyzing tools

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2124/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61b9e2da45ca64e57f117dc6/reports/ab2c66f0-8a16-48b7-af00-2e7d30313a56/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CryptBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4247e69a-a1a4-499b-a86b-248959ee841b

Result

Threat name:

Cryptbot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/907859

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Cryptbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-12-15 12:44:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 28 (96.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6abd6dg7ol3cbmgwk4j2vel5r6febgyzhzqdd6rp4lsehgyvee4a._file

Verdict:

malicious

CryptBot

108cad79cd5bd2a947c5b877a55b7d3a6a4ce579aae3f298c0618154c27eb3d4

CryptBot

12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba

CryptBot

25c212b01aed427cbe5c5e0f06e5edd0188f881551347aa20804b3da88da2af2

CryptBot

3836136ddb7cfa2fc48e44c6b385da79df47380445f4c4fdaf552cf0aeb09816

CryptBot

41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff

CryptBot

583c189b3d8bc98c7a9e22ba2ad1fce8210222fa636287f8fa3fd7b291cd778c

CryptBot

6330461af12e55ea57217260de72f3bb9b70b1eff431b6ad1801ec23ebdb1b9b

CryptBot

f1df708a846482e0d856754d5178d80109b068dc589494e6e831e2cfa2148b30

CryptBot

ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef

CryptBot

+ 2'632 additional samples on MalwareBazaar

Result

Malware family:

danabot

Score:

10/10

Tags:

family:cryptbot family:danabot banker discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/211215-pxxfnaadgp/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

CryptBot

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

sezsmi32.top
morswd03.top
142.11.244.223:443
23.106.122.139:443

Unpacked files

SH256 hash:

2bb4a3a70b8b15d4a96a1d3489102551f599adfd0769d86288e252bd6ef03539

MD5 hash:

1a4e64bf44a29bae969df30e79f3f59c

SHA1 hash:

369a83190c1bacd0a45c9f52bf213d19c25198bf

Link:

https://www.unpac.me/results/3a9f1872-491d-443d-8463-5b741cb5c4f7/

SH256 hash:

f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138

MD5 hash:

590d0d9111ed9bc27b57fbee2298e9eb

SHA1 hash:

c548ed16302741a2d626e51823924d7fe7ea1578

Link:

https://www.unpac.me/results/3a9f1872-491d-443d-8463-5b741cb5c4f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers