cryptbot

Resubmissions

06-12-2022 13:52

221206-q6sdqsdc23 10

21-09-2022 08:18

220921-j7eqpsbdep 9

21-09-2022 07:05

220921-hwvr4sffe3 9

21-09-2022 05:39

220921-gca3xsahbn 9

Sharing

Copy URL

Twitter E-mail

General

Target

859c659aee8b897aeebf4b87364cc6d1.exe
Size

2.4MB
Sample

220921-gca3xsahbn
MD5

859c659aee8b897aeebf4b87364cc6d1
SHA1

c362e37f2a75447fe19eab90a6eba3dd3fa402e7
SHA256

b2fdf16f56a53ec57134d20655a23d5919c022a97cf7da4087bd6bf9f3704bb6
SHA512

b5a1ddf62be64eb5b58e674032884095e5a4ec190f4a8944e71efdc7f1faf57cfd5a9af7cd3d3040c1c3912ea4afafbfbea5cbe8532d5326f5c8d48f304a7ee6
SSDEEP

49152:d7BbOYaReQpAxY+TuQ/tymHRuKjQdT8K:nbOYakQpA++TuQ/tymHRumS

Score

10^/10

Malware Config

Extracted

Family

cryptbot

http://dixiel22.top/gate.php

Attributes

payload_url
http://lueink02.top/lutzen.dat

Targets

- Target
  
  859c659aee8b897aeebf4b87364cc6d1.exe
- Size
  
  2.4MB
- MD5
  
  859c659aee8b897aeebf4b87364cc6d1
- SHA1
  
  c362e37f2a75447fe19eab90a6eba3dd3fa402e7
- SHA256
  
  b2fdf16f56a53ec57134d20655a23d5919c022a97cf7da4087bd6bf9f3704bb6
- SHA512
  
  b5a1ddf62be64eb5b58e674032884095e5a4ec190f4a8944e71efdc7f1faf57cfd5a9af7cd3d3040c1c3912ea4afafbfbea5cbe8532d5326f5c8d48f304a7ee6
- SSDEEP
  
  49152:d7BbOYaReQpAxY+TuQ/tymHRuKjQdT8K:nbOYakQpA++TuQ/tymHRumS
Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Maps connected drives based on registry

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2