cryptbot

General

Target

1e0c04259041599f381739e5a2779118.exe
Size

282KB
Sample

230419-l8kdpabf9z
MD5

1e0c04259041599f381739e5a2779118
SHA1

4aeec9e7e2d836ef69145a8451410b49d7ee8139
SHA256

71dfa64187315a09becab456d32e70e43ae68afbff5a601a9227089241b9c460
SHA512

bb1f4f064a0f7da8a7cf2aae2f7eb8687bf8f4861e168a97c4e31bced31341d552419bc96d254e11237c1227fc3836ebc802eff7af6a399a2bab62b94d3e275d
SSDEEP

3072:kcJiBxMfexCJCzAU0tPjv4UVA3oG+dHLnVTuX2kmo5ugsFWrO7CCFpPsOmmh16Pq:axaUCJCIjASGoGoOMF7+QpppObl7iM

Score

10^/10

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

redline

Botnet

RED

C2

79.137.202.0:81

Attributes

auth_value
49e32ec54afd3f75dadad05dbf2e524f

Extracted

Family

cryptbot

C2

http://fygqwc32.top/gate.php

Extracted

Family

laplas

C2

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Targets

- Target
  
  1e0c04259041599f381739e5a2779118.exe
- Size
  
  282KB
- MD5
  
  1e0c04259041599f381739e5a2779118
- SHA1
  
  4aeec9e7e2d836ef69145a8451410b49d7ee8139
- SHA256
  
  71dfa64187315a09becab456d32e70e43ae68afbff5a601a9227089241b9c460
- SHA512
  
  bb1f4f064a0f7da8a7cf2aae2f7eb8687bf8f4861e168a97c4e31bced31341d552419bc96d254e11237c1227fc3836ebc802eff7af6a399a2bab62b94d3e275d
- SSDEEP
  
  3072:kcJiBxMfexCJCzAU0tPjv4UVA3oG+dHLnVTuX2kmo5ugsFWrO7CCFpPsOmmh16Pq:axaUCJCIjASGoGoOMF7+QpppObl7iM
Score

10^/10

gcleaner loader cryptbot laplas redline stealc red clipper discovery evasion infostealer persistence spyware stealer themida trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Detects Stealc stealer
  stealer
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2