cryptbot

General

Target

21f1e57607e3734bd31d55b02f3fbb9e.exe
Size

791KB
Sample

230316-rnzkrsbb67
MD5

21f1e57607e3734bd31d55b02f3fbb9e
SHA1

2653db1285efc7b847bb56a4e6a5434b03350ac5
SHA256

6d6a5f70a5f8d597d4074ac0c2d84dd9ed5f41aa39305f4260b831a03bec4569
SHA512

833a04a5edb72e31c5926907f317132c28b1d19be25d6f4fa74292d1da24eeb0f4a72968d0ae79d3c09e4d1e0010196ab92fab4e80385b690e96e28a3adca66c
SSDEEP

24576:eaO+WvtXJNDY+mfQ2p0WGstpe8gNZ4bG58b4H:ex+KZNDvmfd+WGsi4658M

Score

10^/10

Malware Config

Extracted

Family

cryptbot

C2

http://erniku42.top/gate.php

Attributes

payload_url
http://ovapfa05.top/unfele

Targets

- Target
  
  21f1e57607e3734bd31d55b02f3fbb9e.exe
- Size
  
  791KB
- MD5
  
  21f1e57607e3734bd31d55b02f3fbb9e
- SHA1
  
  2653db1285efc7b847bb56a4e6a5434b03350ac5
- SHA256
  
  6d6a5f70a5f8d597d4074ac0c2d84dd9ed5f41aa39305f4260b831a03bec4569
- SHA512
  
  833a04a5edb72e31c5926907f317132c28b1d19be25d6f4fa74292d1da24eeb0f4a72968d0ae79d3c09e4d1e0010196ab92fab4e80385b690e96e28a3adca66c
- SSDEEP
  
  24576:eaO+WvtXJNDY+mfQ2p0WGstpe8gNZ4bG58b4H:ex+KZNDvmfd+WGsi4658M
Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2