cryptbot | d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109

General

Target

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Size

2.3MB
MD5

968e9faa49c57145eb9aa1d88147980a
SHA1

6f5824fac218092bdd0d2215b9e59615fdb4ddc3
SHA256

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109
SHA512

9330d072ce4689299a38fc3897a78b6d23abb4463c6bc771e2a45a23812c44dab3e344d121bc4833d5545579e5371f56fb939898197296adf3d4a4e8e589d6d6

Score

10^/10

cryptbot discovery spyware stealer suricata vmprotect

Malware Config

Extracted

Family

cryptbot

C2

vetiir04.top

moriiikk02.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1180-68-0x0000000000A70000-0x0000000000D1C000-memory.dmp	family_cryptbot

suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

5 1104 WScript.exe
6 1104 WScript.exe
7 1104 WScript.exe
8 1104 WScript.exe
Executes dropped EXE 1 IoCs

Processes:

rtoosgw.exe

pid process

1180 rtoosgw.exe

flow	pid	process
5	1104	WScript.exe
6	1104	WScript.exe
7	1104	WScript.exe
8	1104	WScript.exe

pid	process
1180	rtoosgw.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1740-55-0x00000000003E0000-0x000000000083E000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\rtoosgw.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe	vmprotect
behavioral1/memory/1180-68-0x0000000000A70000-0x0000000000D1C000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

556 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
556	cmd.exe

flow	ioc
12	ip-api.com

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exertoosgw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rtoosgw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rtoosgw.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rtoosgw.exe

pid process

1180 rtoosgw.exe
1180 rtoosgw.exe

pid	process
1180	rtoosgw.exe
1180	rtoosgw.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.execmd.execmd.exe

description	pid	process	target process
PID 1740 wrote to memory of 1636	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1636	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1636	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1636	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1636 wrote to memory of 1104	1636	cmd.exe	WScript.exe
PID 1636 wrote to memory of 1104	1636	cmd.exe	WScript.exe
PID 1636 wrote to memory of 1104	1636	cmd.exe	WScript.exe
PID 1636 wrote to memory of 1104	1636	cmd.exe	WScript.exe
PID 1740 wrote to memory of 556	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 556	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 556	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 556	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 556 wrote to memory of 1180	556	cmd.exe	rtoosgw.exe
PID 556 wrote to memory of 1180	556	cmd.exe	rtoosgw.exe
PID 556 wrote to memory of 1180	556	cmd.exe	rtoosgw.exe
PID 556 wrote to memory of 1180	556	cmd.exe	rtoosgw.exe
PID 1740 wrote to memory of 1608	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1608	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1608	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1608	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1656	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1656	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1656	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1656	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1000	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1000	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1000	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1740 wrote to memory of 1000	1740	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
"C:\Users\Admin\AppData\Local\Temp\d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe"
1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\bifdxbrtphpd.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bifdxbrtphpd.vbs"
3⤵
- Blocklisted process makes network request
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe
"C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\osiklybdesi.exe"
2⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\poxqvrupu.exe"
2⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\gejgyatfln.exe"
2⤵
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bifdxbrtphpd.vbs
Filesize
136B

MD5
c93f05e278c492af244f83814f839d5e

SHA1
a799ded060a3c937e2d868d97eb118c8b9af4ff2

SHA256
ba55029f7ade62848768ae6e264f62221646851775f41f70c4cee017d3aca022

SHA512
98946891f015981e3c68d31123be6195f655a4f67ad6b0c3bdcfbb7e3a5c2a535bc7446869e752d1403547991328bb746f5a50fa52d165a44be63995e0574827

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe
Filesize
1.3MB

MD5
6f34430da8bf5550b4d894cede4e78e0

SHA1
9fe5dba145b0f7aa95cfe0076c4bf953398a8d39

SHA256
6acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7

SHA512
5eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe
Filesize
1.3MB

MD5
6f34430da8bf5550b4d894cede4e78e0

SHA1
9fe5dba145b0f7aa95cfe0076c4bf953398a8d39

SHA256
6acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7

SHA512
5eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383

Download Submit
\Users\Admin\AppData\Local\Temp\rtoosgw.exe
Filesize
1.3MB

MD5
6f34430da8bf5550b4d894cede4e78e0

SHA1
9fe5dba145b0f7aa95cfe0076c4bf953398a8d39

SHA256
6acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7

SHA512
5eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383

Download Submit
memory/556-62-0x0000000000000000-mapping.dmp

Download
memory/1000-76-0x0000000000000000-mapping.dmp

Download
memory/1104-60-0x0000000000000000-mapping.dmp

Download
memory/1180-65-0x0000000000000000-mapping.dmp

Download
memory/1180-68-0x0000000000A70000-0x0000000000D1C000-memory.dmp

Filesize
2.7MB

Download
memory/1180-70-0x0000000073F41000-0x0000000073F43000-memory.dmp

Filesize
8KB

Download
memory/1180-71-0x0000000074411000-0x0000000074413000-memory.dmp

Filesize
8KB

Download
memory/1608-72-0x0000000000000000-mapping.dmp

Download
memory/1636-57-0x0000000000000000-mapping.dmp

Download
memory/1656-74-0x0000000000000000-mapping.dmp

Download
memory/1740-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1740-55-0x00000000003E0000-0x000000000083E000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads