cryptbot | 5ac86c67c41dda69959c312d84f64e389314178b7011202987b47dbb31f48a56

General

Target

Setup.exe
Size

4.5MB
MD5

6c1376ee49b7f498dbb54a22fa0abe55
SHA1

cd2e6f21e5bc1b856048f12b137047dfa5ce67f7
SHA256

5ac86c67c41dda69959c312d84f64e389314178b7011202987b47dbb31f48a56
SHA512

24c23becf36fda4bda041991ecdb23fd69cb6b391d80cdb3d5d009d3a2e4100c7dc1971115a1d88f693a9c5ef5f780b069b74b7c9b76be31a39d39e785ce5209

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 3 IoCs

Processes:

fekli.exeNotepad2.exeprans.exe

pid process

2712 fekli.exe
2796 Notepad2.exe
2960 prans.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fekli.exeprans.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fekli.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fekli.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	prans.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	prans.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

fekli.exeprans.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	fekli.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	prans.exe

Loads dropped DLL 1 IoCs

Processes:

Setup.exe

pid process

2604 Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

fekli.exeprans.exe

pid process

2712 fekli.exe
2960 prans.exe

pid	process
2604	Setup.exe

flow	ioc
16	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Sync\Back\plan\Notepad2.exe	Setup.exe
File created	C:\Program Files (x86)\Sync\Back\plan\fekli.exe	Setup.exe
File created	C:\Program Files (x86)\Sync\Back\plan\prans.exe	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fekli.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fekli.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fekli.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

prans.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	prans.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	prans.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	prans.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	prans.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fekli.exeprans.exe

pid process

2712 fekli.exe
2712 fekli.exe
2960 prans.exe
2960 prans.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

fekli.exe

pid	process
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe
2712	fekli.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup.exe

description	pid	process	target process
PID 2604 wrote to memory of 2712	2604	Setup.exe	fekli.exe
PID 2604 wrote to memory of 2712	2604	Setup.exe	fekli.exe
PID 2604 wrote to memory of 2712	2604	Setup.exe	fekli.exe
PID 2604 wrote to memory of 2796	2604	Setup.exe	Notepad2.exe
PID 2604 wrote to memory of 2796	2604	Setup.exe	Notepad2.exe
PID 2604 wrote to memory of 2796	2604	Setup.exe	Notepad2.exe
PID 2604 wrote to memory of 2960	2604	Setup.exe	prans.exe
PID 2604 wrote to memory of 2960	2604	Setup.exe	prans.exe
PID 2604 wrote to memory of 2960	2604	Setup.exe	prans.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2604

C:\Program Files (x86)\Sync\Back\plan\fekli.exe
"C:\Program Files (x86)\Sync\Back\plan\fekli.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2712

C:\Program Files (x86)\Sync\Back\plan\Notepad2.exe
"C:\Program Files (x86)\Sync\Back\plan\Notepad2.exe"
2⤵
- Executes dropped EXE
PID:2796

C:\Program Files (x86)\Sync\Back\plan\prans.exe
"C:\Program Files (x86)\Sync\Back\plan\prans.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

5

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sync\Back\plan\Notepad2.exe
MD5
b60d390ba42c0109ee38de2e0ca56e1a

SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833

SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477

SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24

Download Submit
C:\Program Files (x86)\Sync\Back\plan\Notepad2.exe
MD5
b60d390ba42c0109ee38de2e0ca56e1a

SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833

SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477

SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24

Download Submit
C:\Program Files (x86)\Sync\Back\plan\fekli.exe
MD5
d1cb4f929e3550e74225a483b00ccd51

SHA1
5fbbd071a6372c62f2632e10e5e875ea55796b0a

SHA256
e697032121e7de781f045c52db959bf8c8297d556ddf280c51a91e4049abd387

SHA512
a8ecc9dfd12c342826dea42caa62c1dc63e5ff0acdce388b3bac4966685cf488bc97ae30bd229e43c2011c582ea15a26c95bf7792786dd87dd639f74d7105b10

Download Submit
C:\Program Files (x86)\Sync\Back\plan\fekli.exe
MD5
d1cb4f929e3550e74225a483b00ccd51

SHA1
5fbbd071a6372c62f2632e10e5e875ea55796b0a

SHA256
e697032121e7de781f045c52db959bf8c8297d556ddf280c51a91e4049abd387

SHA512
a8ecc9dfd12c342826dea42caa62c1dc63e5ff0acdce388b3bac4966685cf488bc97ae30bd229e43c2011c582ea15a26c95bf7792786dd87dd639f74d7105b10

Download Submit
C:\Program Files (x86)\Sync\Back\plan\prans.exe
MD5
17d56acc844bc4834764292c4c85c80e

SHA1
6c58331f1f30e1c0562e5523c832a70e631bacd4

SHA256
2ccc99d14f57afd604e7872c4bc8ea651cb9e8281c537b055ae4b594507e2155

SHA512
888c02f5f2768b051d8f9c30f5426b3df6757fc19146ac3bf2ffee80745ceecfc3856dfd911a305923a383349891c56b684a279287d0577526f62f882028d9c2

Download Submit
\Users\Admin\AppData\Local\Temp\nsr3D5E.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/2712-1-0x0000000000000000-mapping.dmp

Download
memory/2712-9-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2712-10-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2796-4-0x0000000000000000-mapping.dmp

Download
memory/2960-7-0x0000000000000000-mapping.dmp

Download
memory/2960-11-0x00000000098E0000-0x00000000098E1000-memory.dmp

Filesize
4KB

Download
memory/2960-12-0x000000000A0E0000-0x000000000A0E1000-memory.dmp

Filesize
4KB

Download
memory/2960-13-0x00000000098E0000-0x00000000098E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads