cryptbot | 51e9ccfd1c8ae13270052947f8dc6e3386c585bf733228a8dc0e028e1c31223f

Analysis

max time kernel
110s
max time network
125s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

2.7MB
MD5

a9a3893285e274d60a9bb5b85f4dfcc4
SHA1

960237e74a28393b0f906a46acffdb4d6160b763
SHA256

51e9ccfd1c8ae13270052947f8dc6e3386c585bf733228a8dc0e028e1c31223f
SHA512

b22237255cdcca7c9cdd1dd0664368a967b09ad672f57beb96891ab6abfd6bf4c2d7161f1f9e9bc468539811494c8fc1c6d6417c0b339c22fc90769addfa3bc0

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

evasion 4 IoCs

evasion.

evasion

Processes:

resource	yara_rule
behavioral6/memory/4300-115-0x0000000000FA0000-0x000000000168E000-memory.dmp	evasion
behavioral6/memory/4300-117-0x0000000000FA0000-0x000000000168E000-memory.dmp	evasion
behavioral6/memory/4300-118-0x0000000000FA0000-0x000000000168E000-memory.dmp	evasion
behavioral6/memory/4300-119-0x0000000000FA0000-0x000000000168E000-memory.dmp	evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

installer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	installer.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral6/memory/4300-115-0x0000000000FA0000-0x000000000168E000-memory.dmp	themida
behavioral6/memory/4300-117-0x0000000000FA0000-0x000000000168E000-memory.dmp	themida
behavioral6/memory/4300-118-0x0000000000FA0000-0x000000000168E000-memory.dmp	themida
behavioral6/memory/4300-119-0x0000000000FA0000-0x000000000168E000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

installer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA installer.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

installer.exe

pid process

4300 installer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	installer.exe

pid	process
4300	installer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

installer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4492 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

installer.exe

pid process

4300 installer.exe
4300 installer.exe

pid	process
4492	timeout.exe

pid	process
4300	installer.exe
4300	installer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

installer.execmd.exe

description	pid	process	target process
PID 4300 wrote to memory of 4392	4300	installer.exe	cmd.exe
PID 4300 wrote to memory of 4392	4300	installer.exe	cmd.exe
PID 4300 wrote to memory of 4392	4300	installer.exe	cmd.exe
PID 4392 wrote to memory of 4492	4392	cmd.exe	timeout.exe
PID 4392 wrote to memory of 4492	4392	cmd.exe	timeout.exe
PID 4392 wrote to memory of 4492	4392	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\installer.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\GEMMYG~1.ZIP
MD5
ec5e6becf8d0f523b5b9901e4e41fe29

SHA1
7d85c33a68cac1e814fc7fc96c14c2f9756eb1df

SHA256
be99d0cee4baca46948ce2cd00a7b9d851b60a0ed273a740ffdd08e9ed04915a

SHA512
053c11a798db5fbb8c327823ca51a6fb912811cdf9b0d71d877e214a48ae99b2fc310dc13a2bf82c9ac343f307133ac7efef51cfe53515b5feb24220cce39994

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\ICYIWQ~1.ZIP
MD5
4e30140f6a8b11dd4f6cf360bc2f78be

SHA1
3a851498901c0b50bb4a4a6fd780b6d3bd2eeefb

SHA256
4127ebff024c8c135b03a29482b26cbc57f7c714f9b923b38fe0407a0ad9db19

SHA512
9aa59a92b9dcc3ee82219a71e6db33a5b87469ab09fbec9f6dab688ba7fc494e5f21c70796c9f2ff3eceda0c3a8d39592b7139385c824c3805ba402f34a1de57

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\_Files\_Chrome\DEFAUL~1.BIN
MD5
d4026455697acb78d4f621b54352b4f0

SHA1
f32214a2fa38ee0eadb6b38b0cd444dc34ebc2c9

SHA256
2e28af610200cae02bd440c87bee8508a08c65510e83916acf94f96faf6d7624

SHA512
efb97c89babef3239063c4bb4230f5458474b4141dc128e84a4fe0e4067bc3e8a5ba6e2f6fc87568619af12c05731d121ccf73acbcd9ba06afd5fe92f65a2f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\_Files\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\_Files\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\_Files\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\_Files\_INFOR~1.TXT
MD5
fb40f8c046f0250b59bcc039dfa9d1e6

SHA1
20b7c31d1ed2df503d004055d099ade3e3352717

SHA256
1dfc2a1b88c18a644f02b5aa284ee8df90bd9097a972c24bf8383c220a481f48

SHA512
800d0ba51af2bbf96e397dd14bf0058e4f07d171df357ad19c8e84e05a12ccb826788ab2f69355c8c50660386c818ebccc51f46015ecb5ba3ccd79a2a478c069

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\_Files\_SCREE~1.JPE
MD5
2672e975f27e5b1fdec1d86728896a30

SHA1
f68cbfee8aace8a8b03ef456e7a12c9de7497248

SHA256
272b787229530c1428ebc0389cb20ef58ab5a756497e032a6738b47c4aa47fae

SHA512
8d9d87a8c15dbdf09002bab11fb072e686cd5d6c9c04a6b2a823cad0208639670c0d20356cb5c7dea975a247f9d36db0c281257afff5494ceb42b6c1b7a188cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\files_\SCREEN~1.JPG
MD5
2672e975f27e5b1fdec1d86728896a30

SHA1
f68cbfee8aace8a8b03ef456e7a12c9de7497248

SHA256
272b787229530c1428ebc0389cb20ef58ab5a756497e032a6738b47c4aa47fae

SHA512
8d9d87a8c15dbdf09002bab11fb072e686cd5d6c9c04a6b2a823cad0208639670c0d20356cb5c7dea975a247f9d36db0c281257afff5494ceb42b6c1b7a188cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\files_\SYSTEM~1.TXT
MD5
fb40f8c046f0250b59bcc039dfa9d1e6

SHA1
20b7c31d1ed2df503d004055d099ade3e3352717

SHA256
1dfc2a1b88c18a644f02b5aa284ee8df90bd9097a972c24bf8383c220a481f48

SHA512
800d0ba51af2bbf96e397dd14bf0058e4f07d171df357ad19c8e84e05a12ccb826788ab2f69355c8c50660386c818ebccc51f46015ecb5ba3ccd79a2a478c069

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\files_\_Chrome\DEFAUL~1.BIN
MD5
d4026455697acb78d4f621b54352b4f0

SHA1
f32214a2fa38ee0eadb6b38b0cd444dc34ebc2c9

SHA256
2e28af610200cae02bd440c87bee8508a08c65510e83916acf94f96faf6d7624

SHA512
efb97c89babef3239063c4bb4230f5458474b4141dc128e84a4fe0e4067bc3e8a5ba6e2f6fc87568619af12c05731d121ccf73acbcd9ba06afd5fe92f65a2f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\files_\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\files_\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFtyoCuwTmEj\files_\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
memory/4300-116-0x00000000772A0000-0x000000007742E000-memory.dmp

Filesize
1.6MB

Download
memory/4300-119-0x0000000000FA0000-0x000000000168E000-memory.dmp

Filesize
6.9MB

Download
memory/4300-118-0x0000000000FA0000-0x000000000168E000-memory.dmp

Filesize
6.9MB

Download
memory/4300-117-0x0000000000FA0000-0x000000000168E000-memory.dmp

Filesize
6.9MB

Download
memory/4300-115-0x0000000000FA0000-0x000000000168E000-memory.dmp

Filesize
6.9MB

Download
memory/4392-120-0x0000000000000000-mapping.dmp

Download
memory/4492-135-0x0000000000000000-mapping.dmp

Download