cryptbot | 1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297 | Triage

Submit
Reports

Overview

overview

Static

static

9b7b9e383b...0a.exe

windows7_x64

8

9b7b9e383b...0a.exe

windows10_x64

Sharing

General

Target

9b7b9e383bdaa6d350c768d010bd960a.exe
Size

1.7MB
Sample

210529-4hbgyjntvn
MD5

9b7b9e383bdaa6d350c768d010bd960a
SHA1

cec89fc1ffac4c4d30f88b99dfeafb74661dc57f
SHA256

1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
SHA512

2206e5c77c1035f3588b770d4a334bd4e73c007e6e38a3f11b553da6cf99ecc0d33ab55bf6b9b29b8ab456b0a1d4947c0ec4dcb4a2ac78fa287568e92109ac36

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

9b7b9e383bdaa6d350c768d010bd960a.exe

Resource

win7v20210410

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9b7b9e383bdaa6d350c768d010bd960a.exe

Resource

win10v20210410

cryptbot danabot 3 banker discovery spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

rsa_pubkey.plain

Targets

- Target
  
  9b7b9e383bdaa6d350c768d010bd960a.exe
- Size
  
  1.7MB
- MD5
  
  9b7b9e383bdaa6d350c768d010bd960a
- SHA1
  
  cec89fc1ffac4c4d30f88b99dfeafb74661dc57f
- SHA256
  
  1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
- SHA512
  
  2206e5c77c1035f3588b770d4a334bd4e73c007e6e38a3f11b553da6cf99ecc0d33ab55bf6b9b29b8ab456b0a1d4947c0ec4dcb4a2ac78fa287568e92109ac36
Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

cryptbotdanabot3bankerdiscoveryspywarestealertrojan

© 2018-2024

Terms | Privacy