MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff1441aa587cc6b6591a65bf0cc3bfee0902dc68816e861eaf4d6223e994b790. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff1441aa587cc6b6591a65bf0cc3bfee0902dc68816e861eaf4d6223e994b790
SHA3-384 hash: 2be2dba69bc946f8fbe13282ab0259169ca25e889a64d9e09e8fb59375c9e43af942d1afbd722a28a56517ec78ece283
SHA1 hash: 9a4342ec04f2d5e763f009d3026a56bdbe63c57f
MD5 hash: 5369a631efaa3bb8a1e001ffa061fdb4
humanhash: glucose-april-six-wolfram
File name:mainsetupv1.0.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'746'689 bytes
First seen:2021-05-08 13:03:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:fdW6CGHALglEPhbNtAA7yODUAB6Wzdi2hnFhqqA59PuTIPf+TrlKc3zHNB2In0yS:fdW6CGHAUGPhhtAyUkNnPqRPsNJNMI8
Threatray 173 similar samples on MalwareBazaar
TLSH 77852310B1EB16B3C9A41AB0DC42B37645AFBD240F188BCB67C438476E725D5AB3D297
Reporter LittleRedBean2
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Mainsetupv1.0.exe
Verdict:
Malicious activity
Analysis date:
2021-05-08 03:42:16 UTC
Tags:
autoit stealer trojan
Link:
https://app.any.run/tasks/21e37e53-156b-4005-bd8b-a1b76de5e343

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153206/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Adware.Softobase.12.1822.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a UDP request
Creating a process from a recently created file
Deleting a recently created file
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/718610
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Copying Sensitive Files with Credential Data
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 408235 Sample: mainsetupv1.0.exe Startdate: 08/05/2021 Architecture: WINDOWS Score: 100 41 eoswpa55.top 2->41 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 10 mainsetupv1.0.exe 7 2->10         started        signatures3 process4 signatures5 59 Very long command line found 10->59 61 Contains functionality to register a low level keyboard hook 10->61 13 cmd.exe 1 10->13         started        16 findstr.exe 1 10->16         started        process6 signatures7 63 Submitted sample is a known malware sample 13->63 65 Obfuscated command line found 13->65 67 Uses ping.exe to sleep 13->67 69 Uses ping.exe to check the status of other devices and networks 13->69 18 cmd.exe 3 13->18         started        21 conhost.exe 13->21         started        23 conhost.exe 16->23         started        process8 signatures9 45 Obfuscated command line found 18->45 47 Uses ping.exe to sleep 18->47 25 Bel.exe.com 18->25         started        27 PING.EXE 1 18->27         started        30 findstr.exe 1 18->30         started        process10 dnsIp11 33 Bel.exe.com 30 25->33         started        43 127.0.0.1 unknown unknown 27->43 37 C:\Users\user\AppData\Local\...\Bel.exe.com, Targa 30->37 dropped file12 process13 dnsIp14 39 gaOZQPhhWe.gaOZQPhhWe 33->39 49 Tries to harvest and steal browser information (history, passwords, etc) 33->49 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff1441aa587cc6b6591a65bf0cc3bfee0902dc68816e861eaf4d6223e994b790/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-07 21:18:41 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74kedksyptdlmwi2mw7qzq575yeqfxdiqfximhvpjvrch2muw6ia._file
Verdict:
unknown
Similar samples:
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
CryptBot
207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3
CryptBot
2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
CryptBot
3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
CryptBot
830c5c98b459bc47ddb319f2262cb248fb9999a6115182b199bb4421f0897051
CryptBot
90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1
CryptBot
e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
CryptBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
CryptBot
+ 163 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210508-qnhpywhhje/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
4ad15e0b07663e81d02c416f220725a1d3bcefd7d0760c96cc0f3963a3199dc6
MD5 hash:
ac5de0346e9ea740d9b794687eee340c
SHA1 hash:
837e39d9535f8219fb34866de5d3b6b2fc8fbfad
Link:
https://www.unpac.me/results/24b81d78-41fe-419f-84ed-e6aef2167073/
SH256 hash:
80d8162fce9e78cd22e5e509bfd6e0f96438844c9439b3c29d5a258f79cfbb71
MD5 hash:
3ed8909102375d2d7995232432e1bb70
SHA1 hash:
5e589155f2cc0d2b4ed11513daa68b88f6e7bd17
Link:
https://www.unpac.me/results/24b81d78-41fe-419f-84ed-e6aef2167073/
SH256 hash:
ff1441aa587cc6b6591a65bf0cc3bfee0902dc68816e861eaf4d6223e994b790
MD5 hash:
5369a631efaa3bb8a1e001ffa061fdb4
SHA1 hash:
9a4342ec04f2d5e763f009d3026a56bdbe63c57f
Link:
https://www.unpac.me/results/24b81d78-41fe-419f-84ed-e6aef2167073/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff1441aa587cc6b6591a65bf0cc3bfee0902dc68816e861eaf4d6223e994b790

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe ff1441aa587cc6b6591a65bf0cc3bfee0902dc68816e861eaf4d6223e994b790

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/153206/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-08 14:09:33 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0002.001] Collection::Application Hook
1) [F0002.002] Collection::Polling
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0017] Process Micro-objective::Create Process
15) [C0038] Process Micro-objective::Create Thread
16) [C0054] Process Micro-objective::Resume Thread
17) [C0018] Process Micro-objective::Terminate Process