cryptbot | 549a131665d0230870272c99660fb149e3854345882d9bb76f1945cd0bf647d5

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7v20210408
submitted
19-05-2021 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

549a131665d0230870272c99660fb149e3854345882d9.exe
Size

728KB
MD5

94b760e4a94c01825f38455188713f63
SHA1

a089a3063781346b9196a6ec29d38d2cff3abd77
SHA256

549a131665d0230870272c99660fb149e3854345882d9bb76f1945cd0bf647d5
SHA512

26beca0028ea78015bcdab59e67fce4cacdd13dbf0e975a2d610736e537d7daac23176ed82cac5c2c0592454f363bd34d8a3900c2d25d39174e7451d74e73f19

Score

10^/10

cryptbot spyware stealer

Malware Config

Extracted

Family

cryptbot

sogkys22.top

morlux02.top

Attributes

payload_url
http://douwkw02.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1828-61-0x0000000001DC0000-0x0000000001EA1000-memory.dmp	family_cryptbot
behavioral1/memory/1828-62-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

549a131665d0230870272c99660fb149e3854345882d9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	549a131665d0230870272c99660fb149e3854345882d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	549a131665d0230870272c99660fb149e3854345882d9.exe

C:\Users\Admin\AppData\Local\Temp\549a131665d0230870272c99660fb149e3854345882d9.exe
"C:\Users\Admin\AppData\Local\Temp\549a131665d0230870272c99660fb149e3854345882d9.exe"
1⤵
- Checks processor information in registry
PID:1828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1828-61-0x0000000001DC0000-0x0000000001EA1000-memory.dmp

Filesize
900KB

Download
memory/1828-62-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download