MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
SHA3-384 hash: 54334fb33d7457bc6f6bb0af4f2cbd53eb61e50249b5aee988a7816b95398cfc0e225f258506696c26e922e40f76dc7b
SHA1 hash: df0e4a41f545a4141c62cf7c7dff06c3a24e32cc
MD5 hash: 4d0dcd6cba9b3e15150f22d6f3fe296a
humanhash: december-network-nitrogen-lion
File name:4D0DCD6CBA9B3E15150F22D6F3FE296A.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:260'608 bytes
First seen:2021-05-05 08:15:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1fd9e342b2ebbda3ba9ce29be5d2b9ad (1 x CryptBot)
ssdeep 3072:8vYkmnJi0gsJ4bUN2Rivcy+C27fciYcz2jP3gis5gimRgxRq1nSrgKYl5fbXaC:8LfdbUQRivcyb2bcTcz27gigiCE1P
Threatray 618 similar samples on MalwareBazaar
TLSH 1E44C00031D1C033D1963A7A4835CB794FBBBCE56A126B8F6BD53AB99F353D1962034A
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://morczs02.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morczs02.top/index.php https://threatfox.abuse.ch/ioc/29090/
http://eostco22.top/index.php https://threatfox.abuse.ch/ioc/29091/

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150072/
Detection(s):
Win.Malware.Generic-9857167-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Reading critical registry keys
Delayed reading of the file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711639
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Cryptbot
Yara detected Evader
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404746 Sample: Qau4wCF5R7.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 96 slTAORJZJIFAqFpyV.slTAORJZJIFAqFpyV 2->96 98 a-0019.a.dns.afd.azure.com 2->98 128 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->128 130 Multi AV Scanner detection for domain / URL 2->130 132 Found malware configuration 2->132 134 14 other signatures 2->134 12 Qau4wCF5R7.exe 28 2->12         started        signatures3 process4 dnsIp5 110 g-clean.in 45.134.255.46, 49726, 49727, 49728 GREENFLOID-ASUA Russian Federation 12->110 112 iplogger.org 88.99.66.31, 443, 49758, 49759 HETZNER-ASDE Germany 12->112 114 3 other IPs or domains 12->114 88 C:\Users\user\AppData\...\81108307666.exe, PE32 12->88 dropped 90 C:\Users\user\AppData\...\53626868866.exe, PE32 12->90 dropped 92 C:\Users\user\AppData\...\21700689815.exe, PE32 12->92 dropped 94 6 other files (4 malicious) 12->94 dropped 170 Detected unpacking (changes PE section rights) 12->170 172 Detected unpacking (overwrites its own PE header) 12->172 174 May check the online IP address of the machine 12->174 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        21 cmd.exe 1 12->21         started        23 cmd.exe 12->23         started        file6 signatures7 process8 process9 25 81108307666.exe 8 17->25         started        30 conhost.exe 17->30         started        32 53626868866.exe 19->32         started        34 conhost.exe 19->34         started        36 21700689815.exe 49 21->36         started        38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        42 taskkill.exe 23->42         started        dnsIp10 100 nailedpizza.top 25->100 102 iplogger.org 25->102 82 C:\Users\user\AppData\...\edspolishpp.exe, PE32 25->82 dropped 136 Detected unpacking (overwrites its own PE header) 25->136 138 May check the online IP address of the machine 25->138 140 Sample or dropped binary is a compiled AutoHotkey binary 25->140 44 edspolishpp.exe 25->44         started        142 Detected unpacking (changes PE section rights) 32->142 144 Contains functionality to inject code into remote processes 32->144 146 Injects a PE file into a foreign processes 32->146 48 53626868866.exe 16 32->48         started        104 mormtw03.top 185.193.143.186, 49785, 80 DIGITALENERGY-ASRU Russian Federation 36->104 106 eosytv32.top 34.125.221.208, 49782, 80 GOOGLEUS United States 36->106 108 agnuxg04.top 36->108 84 C:\Users\user\AppData\Local\Temp84aris.exe, PE32 36->84 dropped 86 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 36->86 dropped 148 Tries to harvest and steal browser information (history, passwords, etc) 36->148 50 Naris.exe 36->50         started        53 cmd.exe 36->53         started        file11 signatures12 process13 dnsIp14 116 wialadyar.xyz 44->116 118 wialadyar.xyz 79.141.170.43, 49764, 49766, 49767 HZ-UK-ASGB Bulgaria 44->118 120 api.ip.sb 44->120 150 Detected unpacking (changes PE section rights) 44->150 152 Detected unpacking (overwrites its own PE header) 44->152 154 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->154 168 2 other signatures 44->168 122 truzen.site 62.113.117.9, 49744, 49752, 80 VDSINA-ASRU Russian Federation 48->122 124 elb097307-934924932.us-east-1.elb.amazonaws.com 54.243.154.178, 49742, 80 AMAZON-AESUS United States 48->124 126 2 other IPs or domains 48->126 156 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 48->156 158 Tries to steal Instant Messenger accounts or passwords 48->158 160 Tries to harvest and steal browser information (history, passwords, etc) 48->160 162 Tries to harvest and steal Bitcoin Wallet information 48->162 72 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 50->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 50->74 dropped 76 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 50->76 dropped 78 3 other files (none is malicious) 50->78 dropped 164 Machine Learning detection for dropped file 50->164 55 vpn.exe 50->55         started        57 4.exe 50->57         started        60 conhost.exe 53->60         started        62 timeout.exe 53->62         started        file15 166 Performs DNS queries to domains with low reputation 116->166 signatures16 process17 file18 64 at.exe 55->64         started        66 cmd.exe 55->66         started        80 C:\Users\user\AppData\...\SmartClock.exe, PE32 57->80 dropped process19 process20 68 conhost.exe 64->68         started        70 conhost.exe 66->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-05-02 18:56:56 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kb4bo3rbgd434of5ukuadmtrpebruqmgsxz5fxizwm7ykwdufza._file
Verdict:
malicious
Similar samples:
2646ae31ed3d84368a410fee518a2b5b9090931dbcfa690632a4ab541eb9557e
CryptBot
2e00fe5b5239656d02676e4e95e200ef21c1d1986e07d4c8d64d16ec1d6e821f
CryptBot
3688577e500b07cc1818d4c994651f791659efbf8ef3ff88329f25c4f65aba24
CryptBot
65cb803d8339bc32863bd557a882cf2016ad7945b18f344aeb94860ca8f6b235
CryptBot
6b956e92b865ecc772c63964eee6d3ef9fcb56eea1b62c52130486d09b006542
CryptBot
70c29fa01c7cb936c92b0df9b8fc1faea3c7108e7dae3d32aa0b889b392dc53d
CryptBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
CryptBot
7deefc102955d15af316521068fd9df9474507a3f0d4ef0c8cfbae498dd8fdef
CryptBot
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
+ 608 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:fickerstealer family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210505-xt7v3z6shj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
RedLine
RedLine Payload
fickerstealer
Malware Config
C2 Extraction:
truzen.site:80
Unpacked files
SH256 hash:
a3b10d59b993a911f351a93f5eea14bcef3269be5ddad990cab7f690d6eab6ea
MD5 hash:
c4067e1cdb9f7829e8571701c9878d82
SHA1 hash:
8f2d15e89f4f5a3c91687da3455d39b451cd7f67
Link:
https://www.unpac.me/results/a8010a4a-1d60-4581-b568-c51390282f62/
SH256 hash:
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
MD5 hash:
4d0dcd6cba9b3e15150f22d6f3fe296a
SHA1 hash:
df0e4a41f545a4141c62cf7c7dff06c3a24e32cc
Link:
https://www.unpac.me/results/a8010a4a-1d60-4581-b568-c51390282f62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150072/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 09:02:20 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0052] File System Micro-objective::Writes File
9) [C0007] Memory Micro-objective::Allocate Memory
10) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
11) [C0040] Process Micro-objective::Allocate Thread Local Storage
12) [C0042] Process Micro-objective::Create Mutex
13) [C0041] Process Micro-objective::Set Thread Local Storage Value
14) [C0018] Process Micro-objective::Terminate Process
15) [C0039] Process Micro-objective::Terminate Thread