cryptbot | ee53cf56f393658949e4756c48e63e0c02542c1403c87e72d926bfb6b0306809

General

Target

cab436d07eb1ff3826a830ed4b477da9.exe
Size

392KB
MD5

cab436d07eb1ff3826a830ed4b477da9
SHA1

efa4b5ae9c6806766baf75b0fe3802d1f6954124
SHA256

ee53cf56f393658949e4756c48e63e0c02542c1403c87e72d926bfb6b0306809
SHA512

8f5193189227ca29c25dcfae4edeceff125c112513c09ccf2ecbe281b8fab154d5e210a514275aa9a5f4f311d0eb13a7f6d238149eb7d0d886e3b22f48ffd6b8

Score

10^/10

cryptbot spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

gomoxw12.top

morxub01.top

Attributes

payload_url
http://peumgu12.top/download.php?file=melder.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1372 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1372	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cab436d07eb1ff3826a830ed4b477da9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cab436d07eb1ff3826a830ed4b477da9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cab436d07eb1ff3826a830ed4b477da9.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1656 timeout.exe

pid	process
1656	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cab436d07eb1ff3826a830ed4b477da9.execmd.exe

description	pid	process	target process
PID 1168 wrote to memory of 1372	1168	cab436d07eb1ff3826a830ed4b477da9.exe	cmd.exe
PID 1168 wrote to memory of 1372	1168	cab436d07eb1ff3826a830ed4b477da9.exe	cmd.exe
PID 1168 wrote to memory of 1372	1168	cab436d07eb1ff3826a830ed4b477da9.exe	cmd.exe
PID 1168 wrote to memory of 1372	1168	cab436d07eb1ff3826a830ed4b477da9.exe	cmd.exe
PID 1372 wrote to memory of 1656	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 1656	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 1656	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 1656	1372	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\cab436d07eb1ff3826a830ed4b477da9.exe
"C:\Users\Admin\AppData\Local\Temp\cab436d07eb1ff3826a830ed4b477da9.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\FxodCqhXPM & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\cab436d07eb1ff3826a830ed4b477da9.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1656

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-55-0x00000000005BB000-0x00000000005E1000-memory.dmp

Filesize
152KB

Download
memory/1168-56-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1168-57-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/1168-58-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1372-59-0x0000000000000000-mapping.dmp

Download
memory/1656-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing