cryptbot | 0beaf24e3a5b13f73b8ef67db0a52815b4948cbceea9a0e5159cfedd7ebb7462

General

Target

0x0003000000013132-6.dat.exe
Size

2.8MB
MD5

3667e43d85130fb90d07e4a725fe7b4a
SHA1

711dd470697df3e34ebcbf481ccc9852ac659bbe
SHA256

0beaf24e3a5b13f73b8ef67db0a52815b4948cbceea9a0e5159cfedd7ebb7462
SHA512

2ac9bed721e20b8a352ad41766b1b0eb79413b91d555bf942aaa6b66b47ef04f08a6594bbce649af95c09d7e1352a73db5120b8509a553b006544cdd7fb683db

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
6	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0x0003000000013132-6.dat.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0x0003000000013132-6.dat.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0x0003000000013132-6.dat.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

388 timeout.exe

pid	process
388	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0x0003000000013132-6.dat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0x0003000000013132-6.dat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0x0003000000013132-6.dat.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0x0003000000013132-6.dat.exe

pid process

1180 0x0003000000013132-6.dat.exe
1180 0x0003000000013132-6.dat.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

0x0003000000013132-6.dat.exe

pid	process
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe
1180	0x0003000000013132-6.dat.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0x0003000000013132-6.dat.execmd.execmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 684	1180	0x0003000000013132-6.dat.exe	cmd.exe
PID 1180 wrote to memory of 684	1180	0x0003000000013132-6.dat.exe	cmd.exe
PID 1180 wrote to memory of 2144	1180	0x0003000000013132-6.dat.exe	cmd.exe
PID 1180 wrote to memory of 2144	1180	0x0003000000013132-6.dat.exe	cmd.exe
PID 684 wrote to memory of 3940	684	cmd.exe	reg.exe
PID 684 wrote to memory of 3940	684	cmd.exe	reg.exe
PID 2144 wrote to memory of 388	2144	cmd.exe	timeout.exe
PID 2144 wrote to memory of 388	2144	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\0x0003000000013132-6.dat.exe
"C:\Users\Admin\AppData\Local\Temp\0x0003000000013132-6.dat.exe"
1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Cryptbot Software\Cryptbot" /v margin /d C:\ProgramData\Cryptbot\margin.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Cryptbot Software\Cryptbot" /v margin /d C:\ProgramData\Cryptbot\margin.exe /F
3⤵
PID:3940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\uzcpCdRzJpYe & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0x0003000000013132-6.dat.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uzcpCdRzJpYe\2AT3B7~1.ZIP
MD5
48f5696e4ae873fe9e5836c6d200d76b

SHA1
66ca544f6861569b004b042695916bb8cb451ae6

SHA256
5ee14a9e89609525c36f8f45aa78685dc2671dd8a6007461cd9fe6fccaeb6e1f

SHA512
fa80536384b4bdb798be3210385ded7b706ec4c2662148e6c310f0ccf15b36d145ef45ea72293c204cae60f0ab788ed3e762833a0c53bb273231e52c9c11c2eb

Download Submit
C:\ProgramData\uzcpCdRzJpYe\47283761.txt
MD5
6e7d7a4a79c6ff8b5057828c0bcb979e

SHA1
1e31de4af335770d8ddad2b3648f419585a19cb2

SHA256
25dff148fe12aeb60d643ad674c33e28dcdf1b50eb63d19eea9d448b2e937ea5

SHA512
7d5e47d8fb4761a3cbc9c6e6c44323611917502ce7de647d05e7854412e15ea90ecc54fd7f5075978af4ec14da36e644cb2a1a57464feabf3f904f27ed5690d0

Download Submit
C:\ProgramData\uzcpCdRzJpYe\Files\Files\Desktop\CLOSES~1.TXT
MD5
a584c6a96d60229ba4ebae426d9043d7

SHA1
b7eefa862368945951ec32fe074f01b7627c8ab0

SHA256
6fb1e4944140a6a5eeaaf7ab64069d2be395ea8dfdbdf6d184315e8f59d180b3

SHA512
a37a028c2e07f3a516b11620b5ac2a173bd673f1f134caae8a165bef8627a955ce923d9c798374d8936432f0e50d0f0a5739d22f8181a0ae43a8739b3bd6e73e

Download Submit
C:\ProgramData\uzcpCdRzJpYe\Files\Files\Desktop\LIMITA~1.TXT
MD5
13a8839ca04576f0e7e7feba7adeaa42

SHA1
c27f0256321ef2e0cdc16cfc1e40b8c44b5942d8

SHA256
9bd01670324896f7e7ac61b2e5671291b451b4ad04fa9eb5cf6cc8d551f4e2c7

SHA512
9dba6f2cce64c7a692146b2d77ca940f41c23e3afd86aa97034392ffce51485e77ce376381d0de7f258ebb0a655648a947f34e4a8434f9bd6c7d1d18d6d966b1

Download Submit
C:\ProgramData\uzcpCdRzJpYe\Files\Files\Desktop\RENAME~1.TXT
MD5
8ad3e310eb49059e13598e2b8833adb5

SHA1
f10bf8da21342383b443eb1133c36a4d6679f6d0

SHA256
1ca473b2ed75b143e181f526fe396d1c9569a1031c6556a97997f9d9ce5c484a

SHA512
423fedcb740019fb7bc2bdacb1ee51541d03da6166841f1d3d20ab4eae0d17260fa021d781a19b8ac4a5bec7a6a78168559921350d31173cc7c83f1aca7abce6

Download Submit
C:\ProgramData\uzcpCdRzJpYe\Files\_Info.txt
MD5
6b80563ba60f2e480cfd7caef7f56d38

SHA1
a490d22edee2985d538862f7af0dbe0afe143a3e

SHA256
64d6788faebd51199fa63fb1e9cfe02166d346723d2853eabd295f0c6f549a0a

SHA512
abd5f2c97d80e21e20212e6f6dd2d0b345e5e1885582c0fbdfb5e56843a9619dd1c8265b926a889480f88c696ac5de08a4e42a0f7100e14581151a11100e9950

Download Submit
C:\ProgramData\uzcpCdRzJpYe\Files\_Screen.jpg
MD5
a2c6c706da14751c96614a717402c4fb

SHA1
1961f4b0c9a8cf1e8a8722490aef763b55e01955

SHA256
e3e99553d9d17269e982d4b9179cea5345ede879aee597f48112717e85131994

SHA512
8763184b71a82266fd86a53240c0c691bee7ed91614fbef8f194e82461f96106c861a27b50bd712439029a9c64d7af565bc320e4bc527f0999a24adba17f28f2

Download Submit
C:\ProgramData\uzcpCdRzJpYe\MOZ_CO~1.DB
MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
memory/388-13-0x0000000000000000-mapping.dmp

Download
memory/684-2-0x0000000000000000-mapping.dmp

Download
memory/2144-3-0x0000000000000000-mapping.dmp

Download
memory/3940-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads