Extracted

• • Target

    e493d514a5154df3ce530a3dee1d8d07.exe

  • Size

    648KB

  • MD5

    e493d514a5154df3ce530a3dee1d8d07

  • SHA1

    fba1795a04b5d6e932213b85f68239e0bd086c1f

  • SHA256

    1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940

  • SHA512

    117f429620d1f2fb268fa9deb0cdcc441e2781ae676121ba28030435e989127fe90a76fd725b4ac99ea5ae2b0fa8769eb93993340a973b6e94b587f93dbeab83

  Score

  10^/10

  cryptbotspywarestealerdiscovery

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot Payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Drops startup file

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2