cryptbot | 38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6

Analysis

max time kernel
150s
max time network
91s
platform
windows7_x64
resource
win7v20201028
submitted
11-02-2021 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f57c8f87acaa5e22b44796b681d54e55.exe
Size

595KB
MD5

f57c8f87acaa5e22b44796b681d54e55
SHA1

9b428283210c673edc41ae38ad36f5ffae59c1fd
SHA256

38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6
SHA512

27d9b453a00d7171dbd64e675cdcb4ccaab5474702bfa39f59532c6d1fcd1922dcae1c31598a6052fa66cac256097725f941f4f534e3e03499bea8448158958f

Score

10^/10

cryptbot spyware stealer

Malware Config

Extracted

Family

cryptbot

breasuals42.top

morteisatr04.top

Attributes

payload_url
http://cotrarest05.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1432-4-0x0000000000930000-0x0000000000A10000-memory.dmp	family_cryptbot
behavioral1/memory/1432-5-0x0000000000400000-0x00000000004E3000-memory.dmp	family_cryptbot

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f57c8f87acaa5e22b44796b681d54e55.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f57c8f87acaa5e22b44796b681d54e55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f57c8f87acaa5e22b44796b681d54e55.exe

C:\Users\Admin\AppData\Local\Temp\f57c8f87acaa5e22b44796b681d54e55.exe
"C:\Users\Admin\AppData\Local\Temp\f57c8f87acaa5e22b44796b681d54e55.exe"
1⤵
- Checks processor information in registry
PID:1432

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-2-0x0000000000C80000-0x0000000000C91000-memory.dmp

Filesize
68KB

Download
memory/1432-3-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1432-4-0x0000000000930000-0x0000000000A10000-memory.dmp

Filesize
896KB

Download
memory/1432-5-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download