MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1e81f8fc03025e450dc6d59f86acd9cb55942d3bc94f82c28274e08fc2074f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1e81f8fc03025e450dc6d59f86acd9cb55942d3bc94f82c28274e08fc2074f8
SHA3-384 hash: 3d719ad13e969c66d7a9e1cecf015a70484ec12a139b68e00dd283fa85caa012fd212ead5c5fc908b7ffae0a985b6923
SHA1 hash: bbf395f0d0be607e32cbae78100c212d2f09f3b8
MD5 hash: 25c8d55c8d2ac4fb39dfe3d063304c72
humanhash: red-lithium-maine-bluebird
File name:p3.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'943'760 bytes
First seen:2021-11-17 15:35:05 UTC
Last seen:2021-11-17 15:50:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 46bddfa30f61434af1832cfbac524afb (1 x CryptBot)
ssdeep 12288:rxfdNCLK0hUkqbedNheslK8xVyFmA084XlgyDVG7JGEe2wkdCBpHSISFgCOAXz3W:PH0hXqIosNVJK/wVG5dCTHMPJG
Threatray 16 similar samples on MalwareBazaar
TLSH T1E1D566E0F829FE57F326D438A014F668C6D91091E716D07BB02AFAA455BF390245DB2F
Reporter 0091_sec
Tags:CryptBot exe Loader

Intelligence

File Origin
# of uploads :
3
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
p3.exe
Verdict:
Malicious activity
Analysis date:
2021-11-17 14:56:53 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/5f542dde-35b5-42a2-986f-fce4db1579b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.UntrustedCertificate.iObit-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Creating a window
Sending an HTTP POST request
Reading critical registry keys
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/619521662695a62af9f241a0/reports/eb248f09-b2b3-4197-87ee-8231c7df3838/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d7d055b-0815-4875-b436-4bcb5d6611b6
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/891320
Signature
C2 URLs / IPs found in malware configuration
Detected potential unwanted application
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1e81f8fc03025e450dc6d59f86acd9cb55942d3bc94f82c28274e08fc2074f8/
Threat name:
Win32.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 15:36:04 UTC
AV detection:
14 of 44 (31.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hub7d6agas6iug4nvm7q2wnts2vsqwtxskpqlbie5har7baot4a._file
Verdict:
malicious
Similar samples:
0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679
CryptBot
32c6d9d772bf954b06f37b26d1b431aae37d1ff160747cce69d165db62643d49
CryptBot
59193209add2aa657db4343d23ddc12453746a3cdf63117db522f3976bd88cc0
CryptBot
6319b895e7a61947bfa702bf9f092d585f76a983666bbceb8d6dcbabe50e330d
CryptBot
879fccdf9b4b09063a6dbf1ac2cc381a1ebcacf6e38f5b8d4889785a4ccde22a
CryptBot
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
CryptBot
bf45b415add34c4a9cfd28e2f0060a5771b452a290d4807cc66e5e0355b014c0
CryptBot
+ 6 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/211117-s1ea2aabdk/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
Malware Config
C2 Extraction:
ciplfk33.top
moryow03.top
Unpacked files
SH256 hash:
41d113b1a06298f65b53ee2fc2131b6d0b718dc7eace4eeec8049a461aebc9fd
MD5 hash:
2dcf95ee625bbbcb2ff3dfe3e64ddd9d
SHA1 hash:
1f03c732692d1c824e98eb2429221ae8c999a192
Link:
https://www.unpac.me/results/9ceb0ef8-533f-4f8e-94a1-2ebbb4d6fc94/
SH256 hash:
f1e81f8fc03025e450dc6d59f86acd9cb55942d3bc94f82c28274e08fc2074f8
MD5 hash:
25c8d55c8d2ac4fb39dfe3d063304c72
SHA1 hash:
bbf395f0d0be607e32cbae78100c212d2f09f3b8
Link:
https://www.unpac.me/results/9ceb0ef8-533f-4f8e-94a1-2ebbb4d6fc94/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f1e81f8fc030/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CryptBot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1e81f8fc03025e450dc6d59f86acd9cb55942d3bc94f82c28274e08fc2074f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe f1e81f8fc03025e450dc6d59f86acd9cb55942d3bc94f82c28274e08fc2074f8

(this sample)

anyrun
any.run
https://app.any.run/tasks/5f542dde-35b5-42a2-986f-fce4db1579b5/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/206924/

Comments