cryptbot | eb4e54c1372f7002b2b49a9918e67f84d65e52f1b12c5b7313420a48d5305e41

Analysis

max time kernel
3s
max time network
55s
platform
windows7_x64
resource
win7v20210410
submitted
15-07-2021 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec36989321fb62bb857a24a53d1491fd.exe
Size

694KB
MD5

ec36989321fb62bb857a24a53d1491fd
SHA1

28de531b6da8f80b0452c109dcf30bc1efee23f9
SHA256

eb4e54c1372f7002b2b49a9918e67f84d65e52f1b12c5b7313420a48d5305e41
SHA512

e71009f296d2b9cb07c6a30fe0798db527aa756177478116b53067e8b55ae17d2ebdb7b4ecb9587fe052d424fa643e9bf3ecd0821d613a0545f8546702c722b7

Score

10^/10

cryptbot spyware stealer

Malware Config

Extracted

Family

cryptbot

wymbdu42.top

morkus04.top

Attributes

payload_url
http://hofiwb05.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-60-0x0000000000A30000-0x0000000000B01000-memory.dmp	family_cryptbot
behavioral1/memory/1644-61-0x0000000000400000-0x0000000000A28000-memory.dmp	family_cryptbot

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ec36989321fb62bb857a24a53d1491fd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ec36989321fb62bb857a24a53d1491fd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ec36989321fb62bb857a24a53d1491fd.exe

C:\Users\Admin\AppData\Local\Temp\ec36989321fb62bb857a24a53d1491fd.exe
"C:\Users\Admin\AppData\Local\Temp\ec36989321fb62bb857a24a53d1491fd.exe"
1⤵
- Checks processor information in registry
PID:1644

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-59-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1644-60-0x0000000000A30000-0x0000000000B01000-memory.dmp

Filesize
836KB

Download
memory/1644-61-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download