cryptbot | 665f3007a2c63bcf902cc8071ee7bcbfb0292729772b50c7d64e534ad98c55cc | Triage

Submit
Reports

Overview

overview

Static

static

Open__Setup_1234.exe

windows7_x64

Open__Setup_1234.exe

windows10_x64

Sharing

General

Target

c2622be2032171119c7322317dcb51a34a16be740698c9098009a4f6d89f0cf8.zip
Size

424KB
Sample

220111-nnyrpafffm
MD5

10ca5ffa6b758063cc8dc91022db54c8
SHA1

83e2c279d119d060d163b1a01d45fe3c7245fe32
SHA256

665f3007a2c63bcf902cc8071ee7bcbfb0292729772b50c7d64e534ad98c55cc
SHA512

3dc8897b3b4a6dad0082beedcbe6305a6bdc787fda82355dbe81817c5b967d53493c3e814260abfaed4dcd8a632500ae82a64d9e583a2d10169adc5c077457ab

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

Open__Setup_1234.exe

Resource

win7-en-20211208

cryptbot spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Open__Setup_1234.exe

Resource

win10-en-20211208

cryptbot discovery evasion spyware stealer themida trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

cryptbot

C2

kotxdy28.top

moruzj02.top

Attributes

payload_url
http://okavor03.top/download.php?file=acaboa.exe

Targets

- Target
  
  Open__Setup_1234.exe
- Size
  
  827KB
- MD5
  
  4d3d1ad82beb0f91c475ba56b7f82bdd
- SHA1
  
  868b82c80f770a97d88ccb6b6af9ce33c5039d5b
- SHA256
  
  c2622be2032171119c7322317dcb51a34a16be740698c9098009a4f6d89f0cf8
- SHA512
  
  e226097fa158eaf7e8dc541bca0248930e5b9546d1a96583ef32f8480b7a28f4147265c814b6d889a0844d1e25fa5c9b302c92c3efe3b2d0d58a3e770593e3a4
Score

10^/10

cryptbot spyware stealer discovery evasion themida trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cryptbotspywarestealer

behavioral2

cryptbotdiscoveryevasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy