MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
SHA3-384 hash: 2ab389d27eda93132ac2c4e2445b6cc332511f7a8ceab6aa897819b8a88dbad335073a55df7bf0b3006891401cd8ee90
SHA1 hash: 64309c113c35e73c5e86a53490ef34883104a887
MD5 hash: 941cc4113e6e0e3a7085f8ec79e3f221
humanhash: hawaii-whiskey-salami-five
File name:941CC4113E6E0E3A7085F8EC79E3F221.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:350'208 bytes
First seen:2021-05-25 00:40:27 UTC
Last seen:2021-05-25 01:00:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d5928446ed957358e32c664070d1dcd3 (2 x CryptBot)
ssdeep 6144:uQrZDuYdWqahrnH0EFdCLtlljFPcdm2yOpueqtEWpl8wACCHrHnsSt:uQrZDLdWqahrnP0LN6dHvDHrP
Threatray 454 similar samples on MalwareBazaar
TLSH 6074AF01A7E1C035F5B316F45B7993A8953E7EE16F3890CB22D626EA5A746E0EC30307
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://morbqm01.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morbqm01.top/index.php https://threatfox.abuse.ch/ioc/58050/
http://geotel12.top/index.php https://threatfox.abuse.ch/ioc/59215/

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
941CC4113E6E0E3A7085F8EC79E3F221.exe
Verdict:
Malicious activity
Analysis date:
2021-05-25 00:52:12 UTC
Tags:
trojan loader rat redline stealer evasion phishing
Link:
https://app.any.run/tasks/5b019dc1-25c4-4fde-b693-b5b26b65ffb2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Raccoon-9862901-1
Create hunting rule

Win.Packed.Generickdz-9864067-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
DNS request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending an HTTP GET request
Launching a process
Creating a file
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791033
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Cryptbot
Yara detected Evader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 423429 Sample: qpU7deukKl.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 78 DQzwIhMqSHBcSx.DQzwIhMqSHBcSx 2->78 118 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Found malware configuration 2->122 124 11 other signatures 2->124 11 qpU7deukKl.exe 36 2->11         started        signatures3 process4 dnsIp5 100 gclean.biz 8.209.75.180, 49715, 49717, 49718 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 11->100 102 iplogger.org 88.99.66.31, 443, 49734, 49735 HETZNER-ASDE Germany 11->102 104 3 other IPs or domains 11->104 70 C:\Users\user\AppData\...\86527380881.exe, PE32 11->70 dropped 72 C:\Users\user\AppData\...\83070361394.exe, PE32 11->72 dropped 74 C:\Users\user\AppData\...\69069735851.exe, PE32 11->74 dropped 76 10 other files (7 malicious) 11->76 dropped 150 Detected unpacking (changes PE section rights) 11->150 152 Detected unpacking (overwrites its own PE header) 11->152 16 cmd.exe 11->16         started        18 cmd.exe 1 11->18         started        20 cmd.exe 1 11->20         started        22 2 other processes 11->22 file6 signatures7 process8 process9 24 83070361394.exe 16->24         started        29 conhost.exe 16->29         started        31 86527380881.exe 15 3 18->31         started        33 conhost.exe 18->33         started        35 69069735851.exe 48 20->35         started        37 conhost.exe 20->37         started        39 Garbage Cleaner.exe 22->39         started        41 conhost.exe 22->41         started        43 2 other processes 22->43 dnsIp10 86 nailedpizza.top 24->86 88 iplogger.org 24->88 66 C:\Users\user\AppData\...\edspolishpp.exe, PE32 24->66 dropped 130 Detected unpacking (changes PE section rights) 24->130 132 Detected unpacking (overwrites its own PE header) 24->132 134 Contains functionality to register a low level keyboard hook 24->134 136 Sample or dropped binary is a compiled AutoHotkey binary 24->136 45 edspolishpp.exe 24->45         started        90 op.gofast24.ru 217.107.34.191, 443, 49724, 49747 RTCOMM-ASRU Russian Federation 31->90 138 Writes to foreign memory regions 31->138 140 Allocates memory in foreign processes 31->140 142 Sample uses process hollowing technique 31->142 144 Injects a PE file into a foreign processes 31->144 49 AddInProcess32.exe 31->49         started        51 AddInProcess32.exe 15 41 31->51         started        53 AddInProcess32.exe 31->53         started        92 geotel12.top 34.73.205.209, 49764, 80 GOOGLEUS United States 35->92 94 morbqm01.top 35.229.92.135, 49765, 80 GOOGLEUS United States 35->94 96 roggmq01.top 35->96 68 C:\Users\user\AppData\Local\Temp\sYWKQV.exe, PE32 35->68 dropped 146 Tries to harvest and steal browser information (history, passwords, etc) 35->146 98 iplogger.org 39->98 file11 148 Performs DNS queries to domains with low reputation 98->148 signatures12 process13 dnsIp14 106 y0y.gofast24.ru 45->106 154 Writes to foreign memory regions 45->154 156 Allocates memory in foreign processes 45->156 158 Sample uses process hollowing technique 45->158 160 Injects a PE file into a foreign processes 45->160 55 AddInProcess32.exe 45->55         started        162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->162 164 Performs DNS queries to domains with low reputation 49->164 166 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->166 108 xanerlaychi.xyz 79.133.98.32, 49740, 49748, 49749 NEOHOST-ASUA Russian Federation 51->108 110 bitbucket.org 104.192.141.1, 443, 49750, 49751 AMAZON-02US United States 51->110 112 api.ip.sb 51->112 168 Tries to steal Crypto Currency Wallets 51->168 59 iexplore.exe 51->59         started        61 iexplore.exe 51->61         started        signatures15 process16 dnsIp17 80 xisolenoy.xyz 185.183.98.2, 49758, 49760, 49761 HSAE Netherlands 55->80 82 api.ip.sb 55->82 126 Tries to harvest and steal browser information (history, passwords, etc) 55->126 128 Tries to steal Crypto Currency Wallets 55->128 84 iplogger.org 59->84 63 iexplore.exe 59->63         started        signatures18 process19 dnsIp20 114 192.168.2.1 unknown unknown 63->114 116 iplogger.org 63->116
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 00:41:07 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yt43tkiqkxo4ezj4d5sfygo3yu4br2d6qfaalf5xuneyldfslfa._file
Verdict:
malicious
Similar samples:
10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a
CryptBot
3688577e500b07cc1818d4c994651f791659efbf8ef3ff88329f25c4f65aba24
CryptBot
39a27d15f3d6175331a974825a440d7475187bae0c133a48a1a5155b49a82537
CryptBot
3fbbe701191020522bf1488b4015d325f38c46acd07456de0cd8f4035f1ed170
CryptBot
41f2e8b68fe406f818f0ab48067d967cc0a3430a9ddb97a191b3fca163b756ab
CryptBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
CryptBot
acf5a0702538d69871c917a13a45effbcc2dd9161578b270a6b56f8447062dbf
CryptBot
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
CryptBot
+ 444 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline botnet:77777 botnet:mix 25.05 infostealer spyware stealer
Link:
https://tria.ge/reports/210525-sy4bq3txn2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Kills process with taskkill
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
RedLine
RedLine Payload
Malware Config
C2 Extraction:
xanerlaychi.xyz:80
xisolenoy.xyz:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments