cryptbot | 86f2df809c0171217f3256bb975e6cb5b2fda17ab3fbbe173ba4fc5faba128f2 | Triage

Submit
Reports

Overview

overview

Static

static

7

open__with...34.exe

windows7_x64

open__with...34.exe

windows10_x64

Sharing

General

Target

86f2df809c0171217f3256bb975e6cb5b2fda17ab3fbbe173ba4fc5faba128f2
Size

2.6MB
Sample

220109-qmzzgadhbn
MD5

11a48632edc8e09578ae7317fd0e4e8e
SHA1

db7cb323639991ff511946fed8ba9331c06ef83b
SHA256

86f2df809c0171217f3256bb975e6cb5b2fda17ab3fbbe173ba4fc5faba128f2
SHA512

414b54684236f8ddc0e709be46188ec4ff7755496a63df68239ddd9e4e6f2b94ddf707d64242763accf1719b15fc7beca02367b190c5ca53a8831900df152370

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

open__with_Pass__1234.exe

Resource

win7-en-20211208

cryptbot evasion spyware stealer themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

open__with_Pass__1234.exe

Resource

win10-en-20211208

cryptbot discovery evasion spyware stealer themida trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

cryptbot

C2

hevbxl65.top

mordva06.top

Attributes

payload_url
http://kyrpdc09.top/download.php?file=tirosh.exe

Targets

- Target
  
  open__with_Pass__1234.exe
- Size
  
  2.6MB
- MD5
  
  b7514493369e8291696b83bc8fd2d293
- SHA1
  
  336d67e539b20f9075989c82fffb989f3b900edf
- SHA256
  
  0182dd1303e3147c39eb13aa0c5cfafa989f77c000f65c3cc1254034911ad17c
- SHA512
  
  2b8801ce0a2d30d97d00fbbe2c58bd92b32f32fd386833ab4c7baddff1293794b6e082ff0ba778a1806bec96fd2eeebd45c41181b80a1c70bcfcfe129b4a2a43
Score

10^/10

cryptbot evasion spyware stealer themida trojan discovery
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cryptbotevasionspywarestealerthemidatrojan

behavioral2

cryptbotdiscoveryevasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy