cryptbot | 0b1e6c22216f23b8d4f81abb82333dd65ed64929e14cec83985d11a4d84cea9c | Triage

Submit
Reports

Overview

overview

Static

static

7

ed56b96ba7...5d.exe

windows7_x64

ed56b96ba7...5d.exe

windows10_x64

Sharing

General

Target

ed56b96ba7248e74fdf1ded506d26d5d.exe
Size

2.7MB
Sample

220110-lh8ctseag3
MD5

ed56b96ba7248e74fdf1ded506d26d5d
SHA1

7724847f44b97aa80e91abffa364f9883dbd5053
SHA256

0b1e6c22216f23b8d4f81abb82333dd65ed64929e14cec83985d11a4d84cea9c
SHA512

9968f2199b2f22334d3e6e66a325cc92c9b363474b4d5c422f20761148957fffe7e5aa09acecf32ccb679f8ba45b9d1fde283e32f027e518a95f2d30f7a6ca74

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

ed56b96ba7248e74fdf1ded506d26d5d.exe

Resource

win7-en-20211208

cryptbot evasion spyware stealer themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ed56b96ba7248e74fdf1ded506d26d5d.exe

Resource

win10-en-20211208

cryptbot discovery evasion spyware stealer themida trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

cryptbot

C2

zyodef72.top

morvue07.top

Attributes

payload_url
http://yapkbc10.top/download.php?file=luzhou.exe

Targets

- Target
  
  ed56b96ba7248e74fdf1ded506d26d5d.exe
- Size
  
  2.7MB
- MD5
  
  ed56b96ba7248e74fdf1ded506d26d5d
- SHA1
  
  7724847f44b97aa80e91abffa364f9883dbd5053
- SHA256
  
  0b1e6c22216f23b8d4f81abb82333dd65ed64929e14cec83985d11a4d84cea9c
- SHA512
  
  9968f2199b2f22334d3e6e66a325cc92c9b363474b4d5c422f20761148957fffe7e5aa09acecf32ccb679f8ba45b9d1fde283e32f027e518a95f2d30f7a6ca74
Score

10^/10

cryptbot evasion spyware stealer themida trojan discovery
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cryptbotevasionspywarestealerthemidatrojan

behavioral2

cryptbotdiscoveryevasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy