cryptbot | 530656ad87a4e5c0f07998323ebca34348af7c7a2e585196f2d0c73580832e36 | Triage

Submit
Reports

Overview

overview

Static

static

58e5562209...ca.exe

windows7_x64

58e5562209...ca.exe

windows10_x64

Sharing

General

Target

58e5562209d50978efd614dd040ef4ca.exe
Size

764KB
Sample

210620-tycm9g2g22
MD5

58e5562209d50978efd614dd040ef4ca
SHA1

d225a1f15ac4f8b96be737b3905f050fc2dc3a31
SHA256

530656ad87a4e5c0f07998323ebca34348af7c7a2e585196f2d0c73580832e36
SHA512

4ecc904931853d5f9611e376cac01f018734e6fefee78b005b2f342f1f0750d31859831fdbc99bdbce0e5578c29a90f655dabd14beb4d747879c3a2529491c6f

Score

10^/10

cryptbot discovery spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

58e5562209d50978efd614dd040ef4ca.exe

Resource

win7v20210408

cryptbot spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

58e5562209d50978efd614dd040ef4ca.exe

Resource

win10v20210410

cryptbot discovery spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

cryptbot

C2

kiykae72.top

morgon07.top

Attributes

payload_url
http://peomyn10.top/download.php?file=lv.exe

Targets

- Target
  
  58e5562209d50978efd614dd040ef4ca.exe
- Size
  
  764KB
- MD5
  
  58e5562209d50978efd614dd040ef4ca
- SHA1
  
  d225a1f15ac4f8b96be737b3905f050fc2dc3a31
- SHA256
  
  530656ad87a4e5c0f07998323ebca34348af7c7a2e585196f2d0c73580832e36
- SHA512
  
  4ecc904931853d5f9611e376cac01f018734e6fefee78b005b2f342f1f0750d31859831fdbc99bdbce0e5578c29a90f655dabd14beb4d747879c3a2529491c6f
Score

10^/10

cryptbot spyware stealer discovery
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot Payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

cryptbotspywarestealer

behavioral2

cryptbotdiscoveryspywarestealer

© 2018-2024

Terms | Privacy