MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb6e522546a83e50fb8759d02881ded745926b7746f06f64694a13aedadd2d6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb6e522546a83e50fb8759d02881ded745926b7746f06f64694a13aedadd2d6e
SHA3-384 hash: 2ebfc613ef84edae5e5a522288935caa853543729065a74cf0f2731373ac6756581b370e918ecccd578c494c9198ef42
SHA1 hash: 657a978dfd2918d3adfb94001c16c94890b3499d
MD5 hash: 03903dd6bc470a44ed1cb27e4e965854
humanhash: illinois-golf-lamp-ten
File name:03903dd6bc470a44ed1cb27e4e965854.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:591'360 bytes
First seen:2021-08-25 05:39:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3bdc58d7d3add14fdfc74404aa032a2d (7 x RaccoonStealer, 3 x RedLineStealer, 2 x CoinMiner)
ssdeep 12288:0sdaynF/iUKXvE0nmG8Um2HmD06lSxYwR8m4QgnpNnJwrEcF:0s5JifTmV2GgsSSwR8dRC
Threatray 4'460 similar samples on MalwareBazaar
TLSH T175C412003664C637C0A695B144D687A0E778B9925F668A4337D8EE1F6F343F0BB2B365
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
03903dd6bc470a44ed1cb27e4e965854.exe
Verdict:
Malicious activity
Analysis date:
2021-08-25 05:56:56 UTC
Tags:
stealer trojan
Link:
https://app.any.run/tasks/78ef4721-291e-42fd-ad51-1cc8d7d5523e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182167/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46860763.10369.17798.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Reading critical registry keys
Delayed reading of the file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Creating a window
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% directory
Searching for analyzing tools
Searching for the window
Launching a process
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88be6ca6-305e-4c6c-a68f-1e66ede4ffa1
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/838724
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb6e522546a83e50fb8759d02881ded745926b7746f06f64694a13aedadd2d6e/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 18:02:44 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nxfejkgva7fb64hlhicrao625cze23xi3yg6zdjjij25ww5fvxa._file
Verdict:
malicious
Similar samples:
199bbc42e66411fd345d097585df9bddba75ff75d0b927fc27d1259348f49793
CryptBot
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
CryptBot
4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38
CryptBot
5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
CryptBot
820194153174a679179e3649a4ebac8f39b4fefd2836d19ae1241e4e520fae26
CryptBot
88b21d6bda07db2097615a88062328006f0c10d199d4fc5e50483d6fd6abe622
CryptBot
ab749e7cd59a78a07a9b31ecaac7ada27da490d97bbe62756c19baa96c64be07
CryptBot
d1e3656b4e1c609b2540cff74f59319a52d7fabf4cc512db0c7f9d3e8fe49ec7
CryptBot
d34e63dbaeb352c7fbf69e3afcd140ca188aaf9492bbb209401bdbcc6028b07c
CryptBot
+ 4'450 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/210825-b2aecs5ss6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
CryptBot Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
bunewx22.top
moreid02.top
Unpacked files
SH256 hash:
8ee5e96d4a13c97ec33402dfc76c6dbce938a3000f64521068d364853829c469
MD5 hash:
491d763c0d0596c8429c1910b2dbb003
SHA1 hash:
eecb15ba57fef7bda93ad41df65cd9e94a62c1d0
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/40bbc3e5-a6ba-4e7b-9968-0f3947a0f115/
Parent samples :
b811ee0b920a723d99831ea6b3bab492189a69797d47a809cb0be4248f7eec08
7c3b2df673868d8f99e2cea7d58bcf356bd59c1a49340e5a8a285e06a517fb1f
fb6e522546a83e50fb8759d02881ded745926b7746f06f64694a13aedadd2d6e
SH256 hash:
fb6e522546a83e50fb8759d02881ded745926b7746f06f64694a13aedadd2d6e
MD5 hash:
03903dd6bc470a44ed1cb27e4e965854
SHA1 hash:
657a978dfd2918d3adfb94001c16c94890b3499d
Link:
https://www.unpac.me/results/40bbc3e5-a6ba-4e7b-9968-0f3947a0f115/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb6e522546a83e50fb8759d02881ded745926b7746f06f64694a13aedadd2d6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe fb6e522546a83e50fb8759d02881ded745926b7746f06f64694a13aedadd2d6e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/182167/
  
URLhaus
https://urlhaus.abuse.ch/url/1560380/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1559474/

Comments