cryptbot | 5a9e3280eb6db0cfbd5a5fd70a4c58e35e397c29f7cda8306c681151030f4352

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
15-01-2021 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 3 IoCs

Processes:

Install.exeNotepad2.exeutil.exe

pid process

1980 Install.exe
1996 Notepad2.exe
1736 util.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exeutil.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	util.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	util.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Install.exeutil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	Install.exe
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	util.exe

Loads dropped DLL 10 IoCs

Processes:

576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exeInstall.exeNotepad2.exeutil.exe

pid	process
788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
1980	Install.exe
1980	Install.exe
1996	Notepad2.exe
1996	Notepad2.exe
788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
1736	util.exe
1736	util.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Install.exeutil.exe

pid process

1980 Install.exe
1736 util.exe

flow	ioc
9	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe

description	ioc	process
File created	C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
File created	C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
File created	C:\Program Files (x86)\Glary\Utilities\Settings\util.exe	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Install.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Install.exeutil.exe

pid process

1980 Install.exe
1736 util.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Install.exe

pid	process
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe
1980	Install.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe

description	pid	process	target process
PID 788 wrote to memory of 1980	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Install.exe
PID 788 wrote to memory of 1980	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Install.exe
PID 788 wrote to memory of 1980	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Install.exe
PID 788 wrote to memory of 1980	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Install.exe
PID 788 wrote to memory of 1980	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Install.exe
PID 788 wrote to memory of 1980	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Install.exe
PID 788 wrote to memory of 1980	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Install.exe
PID 788 wrote to memory of 1996	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Notepad2.exe
PID 788 wrote to memory of 1996	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Notepad2.exe
PID 788 wrote to memory of 1996	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Notepad2.exe
PID 788 wrote to memory of 1996	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Notepad2.exe
PID 788 wrote to memory of 1996	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Notepad2.exe
PID 788 wrote to memory of 1996	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Notepad2.exe
PID 788 wrote to memory of 1996	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	Notepad2.exe
PID 788 wrote to memory of 1736	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	util.exe
PID 788 wrote to memory of 1736	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	util.exe
PID 788 wrote to memory of 1736	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	util.exe
PID 788 wrote to memory of 1736	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	util.exe
PID 788 wrote to memory of 1736	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	util.exe
PID 788 wrote to memory of 1736	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	util.exe
PID 788 wrote to memory of 1736	788	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	util.exe

C:\Users\Admin\AppData\Local\Temp\576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
"C:\Users\Admin\AppData\Local\Temp\576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:788

C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe
"C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1980

C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe
"C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996

C:\Program Files (x86)\Glary\Utilities\Settings\util.exe
"C:\Program Files (x86)\Glary\Utilities\Settings\util.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe
MD5
f59df95a5f1760ed6d213f5ad70c0510

SHA1
697dd19671251ed102d92cb730e7854a7611a53f

SHA256
2ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5

SHA512
f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194

Download Submit
C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe
MD5
f59df95a5f1760ed6d213f5ad70c0510

SHA1
697dd19671251ed102d92cb730e7854a7611a53f

SHA256
2ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5

SHA512
f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194

Download Submit
C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe
MD5
b60d390ba42c0109ee38de2e0ca56e1a

SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833

SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477

SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24

Download Submit
C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe
MD5
b60d390ba42c0109ee38de2e0ca56e1a

SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833

SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477

SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24

Download Submit
C:\Program Files (x86)\Glary\Utilities\Settings\util.exe
MD5
1a399301e1eb1821088776166420c80e

SHA1
317bfecd99d6b0d7415173b55781deb4afc428b8

SHA256
69344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67

SHA512
679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe

Download Submit
C:\Program Files (x86)\Glary\Utilities\Settings\util.exe
MD5
1a399301e1eb1821088776166420c80e

SHA1
317bfecd99d6b0d7415173b55781deb4afc428b8

SHA256
69344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67

SHA512
679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\Install.exe
MD5
f59df95a5f1760ed6d213f5ad70c0510

SHA1
697dd19671251ed102d92cb730e7854a7611a53f

SHA256
2ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5

SHA512
f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\Install.exe
MD5
f59df95a5f1760ed6d213f5ad70c0510

SHA1
697dd19671251ed102d92cb730e7854a7611a53f

SHA256
2ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5

SHA512
f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\Install.exe
MD5
f59df95a5f1760ed6d213f5ad70c0510

SHA1
697dd19671251ed102d92cb730e7854a7611a53f

SHA256
2ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5

SHA512
f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe
MD5
b60d390ba42c0109ee38de2e0ca56e1a

SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833

SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477

SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe
MD5
b60d390ba42c0109ee38de2e0ca56e1a

SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833

SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477

SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe
MD5
b60d390ba42c0109ee38de2e0ca56e1a

SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833

SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477

SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\util.exe
MD5
1a399301e1eb1821088776166420c80e

SHA1
317bfecd99d6b0d7415173b55781deb4afc428b8

SHA256
69344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67

SHA512
679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\util.exe
MD5
1a399301e1eb1821088776166420c80e

SHA1
317bfecd99d6b0d7415173b55781deb4afc428b8

SHA256
69344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67

SHA512
679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe

Download Submit
\Program Files (x86)\Glary\Utilities\Settings\util.exe
MD5
1a399301e1eb1821088776166420c80e

SHA1
317bfecd99d6b0d7415173b55781deb4afc428b8

SHA256
69344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67

SHA512
679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsnFDA.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/1720-25-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download
memory/1736-16-0x0000000000000000-mapping.dmp

Download
memory/1736-24-0x0000000009070000-0x0000000009081000-memory.dmp

Filesize
68KB

Download
memory/1736-23-0x0000000008C60000-0x0000000008C71000-memory.dmp

Filesize
68KB

Download
memory/1980-4-0x0000000000000000-mapping.dmp

Download
memory/1980-22-0x0000000004EA0000-0x0000000004EB1000-memory.dmp

Filesize
68KB

Download
memory/1980-21-0x0000000004A90000-0x0000000004AA1000-memory.dmp

Filesize
68KB

Download
memory/1996-7-0x0000000000000000-mapping.dmp

Download