cryptbot | 0beaf24e3a5b13f73b8ef67db0a52815b4948cbceea9a0e5159cfedd7ebb7462

General

Target

5543.exe
Size

2.8MB
MD5

3667e43d85130fb90d07e4a725fe7b4a
SHA1

711dd470697df3e34ebcbf481ccc9852ac659bbe
SHA256

0beaf24e3a5b13f73b8ef67db0a52815b4948cbceea9a0e5159cfedd7ebb7462
SHA512

2ac9bed721e20b8a352ad41766b1b0eb79413b91d555bf942aaa6b66b47ef04f08a6594bbce649af95c09d7e1352a73db5120b8509a553b006544cdd7fb683db

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
6	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5543.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5543.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5543.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3204 timeout.exe

pid	process
3204	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

5543.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	5543.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	5543.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5543.exe

pid process

616 5543.exe
616 5543.exe
Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

5543.exe

pid process

616 5543.exe
616 5543.exe
616 5543.exe
616 5543.exe
616 5543.exe
616 5543.exe
616 5543.exe
616 5543.exe
616 5543.exe
616 5543.exe

pid	process
616	5543.exe
616	5543.exe

pid	process
616	5543.exe
616	5543.exe
616	5543.exe
616	5543.exe
616	5543.exe
616	5543.exe
616	5543.exe
616	5543.exe
616	5543.exe
616	5543.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5543.execmd.execmd.exe

description	pid	process	target process
PID 616 wrote to memory of 504	616	5543.exe	cmd.exe
PID 616 wrote to memory of 504	616	5543.exe	cmd.exe
PID 616 wrote to memory of 3488	616	5543.exe	cmd.exe
PID 616 wrote to memory of 3488	616	5543.exe	cmd.exe
PID 504 wrote to memory of 3956	504	cmd.exe	reg.exe
PID 504 wrote to memory of 3956	504	cmd.exe	reg.exe
PID 3488 wrote to memory of 3204	3488	cmd.exe	timeout.exe
PID 3488 wrote to memory of 3204	3488	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\5543.exe
"C:\Users\Admin\AppData\Local\Temp\5543.exe"
1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Cryptbot Software\Cryptbot" /v margin /d C:\ProgramData\Cryptbot\margin.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Cryptbot Software\Cryptbot" /v margin /d C:\ProgramData\Cryptbot\margin.exe /F
3⤵
PID:3956

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\b14Qmx0oQF & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5543.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\b14Qmx0oQF\47283761.txt
MD5
1d33d504c150f0d87ac21ed56c00d22e

SHA1
5e2656d8ab56ca2c9b2bba8d3aaac0df89f0b7d5

SHA256
18e6873b0e044b2ca56a332fea56966197ef8c94ebc4d378b7a8668640dea048

SHA512
cf0504c6c77aa3c7eda031c5ebd73e96787a5f8ce20657a3acd231c7898622388b426998a3ab87f4d681da7b9620e4c87d07130f536551b6f88711e1a6d72c1f

Download Submit
C:\ProgramData\b14Qmx0oQF\ECFPVK~1.ZIP
MD5
8cbed5e588f5ab4834647c9b18f7099e

SHA1
95f87fbc18569ab3db624ae6bc89cb53f573c4bf

SHA256
6be18a9fc64e28d7be2a29138bce1d50b20f8637cf9281c9fcc2df19b380f736

SHA512
af1be629ec5689a94bfd9a25a7b72e65549861134b9b63f7135a608eded3f180f4ca7ba8548a3b384844030a18bd6871876b5772bccde3986ff1696d064a2b5c

Download Submit
C:\ProgramData\b14Qmx0oQF\Files\_Info.txt
MD5
4b82d397dcc57a177f76c95727e6e020

SHA1
6c1d9471895e3a793954d84250f56ca88cb3e0ee

SHA256
f9f9d9bc2a7d7b4422b98c3177f1ecb6e65f293d1974b7b30727013b6f63b98e

SHA512
8e3a5dbf8dbd804981f6810a4fb11059fc9e25c173900403d96763bf28fbd2edea115295ef880f728613237587ad45b28d93e63ab8e46fec6cc2da6cf13c2d20

Download Submit
C:\ProgramData\b14Qmx0oQF\Files\_Screen.jpg
MD5
cc9ddf0ffd683f30d43cf13e3f09d21f

SHA1
e600c561b84c92acdd29fb3cf45369d29bf3659e

SHA256
338dd0d4cd8934a58786e4076487228d388c90650048f08f69ffaf5e1f56a139

SHA512
cb2beed4d0a923be755b32e82f533b06135a1e70b1cc57c65f8500164fa411c152f5a988fae52297ba3f8d7ff0ae7a72259eddc10f9b2c166a5f72143966ee54

Download Submit
C:\ProgramData\b14Qmx0oQF\MOZ_CO~1.DB
MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
memory/504-2-0x0000000000000000-mapping.dmp

Download
memory/3204-12-0x0000000000000000-mapping.dmp

Download
memory/3488-3-0x0000000000000000-mapping.dmp

Download
memory/3956-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads