General
-
Target
1576002a.exe
-
Size
864KB
-
MD5
6a70628dd48442b4b207572e8dd6b056
-
SHA1
2edbd5084c074d0103ca188763118faa0eee7225
-
SHA256
89de4b1814d6e9b151efa6d9ff8be4e6c5e491e1f48c70c7219a810aa2413f8b
-
SHA512
52cffb1e03cd935e126e3e90a153c609441bde8e7a0bd1c012f3369bb8c5de6e3c734c3512736194ae40cb33111acf03cc826491a1f24413fb6a58bc192bd63e
-
SSDEEP
24576:q7b+FsJqXnUsRlgZtMvYE5KyZUG42f0D9AJ10bh6Z:qYsJyUHxEIWJubh6Z
Malware Config
Extracted
cryptbot
http://xuncwe65.top/gate.php
Signatures
-
Cryptbot family
Files
-
1576002a.exe.exe windows x86
dbbf6f80eaac29c3b06df9130b7a8b5f
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
FindClose
CreateFileW
DeleteFileW
GetFileSize
lstrcmpW
SetFilePointer
GetCurrentThreadId
LocalAlloc
MultiByteToWideChar
GetLastError
FileTimeToSystemTime
LocalFree
FreeLibrary
CreateDirectoryW
GetModuleFileNameW
InitializeCriticalSection
SetErrorMode
WaitForSingleObject
GlobalAlloc
GlobalFree
ExitProcess
GetComputerNameW
AreFileApisANSI
TryEnterCriticalSection
HeapCreate
HeapFree
EnterCriticalSection
GetFullPathNameW
WriteFile
InterlockedCompareExchange
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
LeaveCriticalSection
GetFullPathNameA
SetEndOfFile
UnlockFileEx
GetTempPathW
CreateMutexW
GetFileAttributesW
GetVersionExW
UnmapViewOfFile
HeapValidate
HeapSize
GetTempPathA
FormatMessageW
GetDiskFreeSpaceA
GetFileAttributesA
GetFileAttributesExW
OutputDebugStringW
FlushViewOfFile
FindNextFileW
WaitForSingleObjectEx
GetVersionExA
DeleteFileA
HeapReAlloc
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
CreateFileMappingA
LockFileEx
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
WideCharToMultiByte
GetSystemTimeAsFileTime
GetSystemTime
FormatMessageA
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
FlushFileBuffers
lstrlenW
GetTempFileNameW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
ReadConsoleW
FindFirstFileW
ReadFile
GlobalMemoryStatus
GetDiskFreeSpaceExA
GetProcAddress
GetLogicalDriveStringsA
GetCurrentProcess
GetLocalTime
LoadLibraryW
GetSystemInfo
LoadLibraryA
GetLocaleInfoA
GetLocaleInfoW
GetEnvironmentVariableW
GetDriveTypeA
GetModuleHandleExW
GetSystemDefaultLCID
GetLogicalDrives
GetTimeZoneInformation
SetStdHandle
SetFilePointerEx
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetConsoleMode
GetConsoleCP
GetTickCount
GetModuleHandleW
CloseHandle
Process32FirstW
Process32NextW
Sleep
CreateToolhelp32Snapshot
CreateFileA
GetACP
GetStdHandle
GetModuleFileNameA
FreeLibraryAndExitThread
ExitThread
CreateThread
GetFileType
RtlUnwind
RaiseException
LoadLibraryExW
GetCPInfo
GetStringTypeW
LCMapStringW
CompareStringW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
SetLastError
DecodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
SetEvent
ResetEvent
CreateEventW
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
EncodePointer
WriteConsoleW
user32
GetThreadDesktop
SetThreadDesktop
MessageBoxW
OpenWindowStationA
SetProcessWindowStation
OpenInputDesktop
GetProcessWindowStation
ReleaseDC
GetWindowRect
GetWindowDC
GetDesktopWindow
gdi32
BitBlt
CreateCompatibleBitmap
SelectObject
CreateCompatibleDC
DeleteDC
DeleteObject
advapi32
GetTokenInformation
RegCloseKey
RegEnumKeyExA
RegOpenKeyExA
RegQueryValueExA
OpenProcessToken
ConvertSidToStringSidW
GetUserNameW
RegQueryValueExW
shell32
SHFileOperationW
ShellExecuteExW
ole32
CreateStreamOnHGlobal
crypt32
CryptUnprotectData
CertFindChainInStore
CertOpenSystemStoreA
CertGetCertificateChain
CertFreeCertificateContext
CertCloseStore
CertFreeCertificateChain
CertVerifyCertificateChainPolicy
wininet
HttpSendRequestExA
InternetSetOptionA
HttpEndRequestA
InternetWriteFile
HttpOpenRequestA
InternetOpenA
HttpSendRequestA
InternetConnectA
InternetReadFile
InternetCloseHandle
ws2_32
WSAStartup
WSAGetLastError
ioctlsocket
closesocket
WSACleanup
htons
recv
connect
socket
send
gethostbyname
Sections
.text Size: 604KB - Virtual size: 604KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 160KB - Virtual size: 160KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 60KB - Virtual size: 60KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.tls Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.gfids Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 28KB - Virtual size: 28KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ