cryptbot | 1f9f25a99544f9a1a83368c1d8fa08600a41863e61b39acf454a25ba2f74265b | Triage

Submit
Reports

Overview

overview

Static

static

1

file.exe

windows7-x64

3

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

623KB
Sample

230416-v5xz2sag54
MD5

3978c9186e82aeb44dadca6c7df4d2bd
SHA1

146c49d206d64e3df8c9f623b481baf4f931352c
SHA256

1f9f25a99544f9a1a83368c1d8fa08600a41863e61b39acf454a25ba2f74265b
SHA512

d5b2fcee593beeaacd6b0c003b389c115941a30ea626faf096685662e83f2d489161f730d62e7b4414b56d951ab3bfdf33e99e762e57a3483bedbe3070feae91
SSDEEP

12288:m2/EhMPvO9pWxfPpif8Qz0ZM/TS533iC4VwHBny040D8Asil14:m2/EhMPvOpWxfhif3/TU9ySI414

Score

10^/10

cryptbot evasion spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230220-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230220-en

cryptbot evasion spyware stealer themida trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

cryptbot

C2

http://ubykot72.top/gate.php

Attributes

payload_url
http://moizyv10.top/odious.dat

Extracted

Family

cryptbot

C2

http://ubykot72.top/gate.php

Targets

- Target
  
  file.exe
- Size
  
  623KB
- MD5
  
  3978c9186e82aeb44dadca6c7df4d2bd
- SHA1
  
  146c49d206d64e3df8c9f623b481baf4f931352c
- SHA256
  
  1f9f25a99544f9a1a83368c1d8fa08600a41863e61b39acf454a25ba2f74265b
- SHA512
  
  d5b2fcee593beeaacd6b0c003b389c115941a30ea626faf096685662e83f2d489161f730d62e7b4414b56d951ab3bfdf33e99e762e57a3483bedbe3070feae91
- SSDEEP
  
  12288:m2/EhMPvO9pWxfPpif8Qz0ZM/TS533iC4VwHBny040D8Asil14:m2/EhMPvOpWxfhif3/TU9ySI414
Score

10^/10

cryptbot evasion spyware stealer themida trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

cryptbotevasionspywarestealerthemidatrojan

© 2018-2023

Terms | Privacy