cryptbot | 640e544c960828067a6cedb824bd601e94ff11c3aa09d8077ba6c93972467b19 | Triage

Submit
Reports

Overview

overview

Static

static

1

file.exe

windows7-x64

8

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

525KB
Sample

230421-swbz4sac5w
MD5

f12995bb7df7dff1e9e017fbcfd982eb
SHA1

ee2f50603ab07f5f2f2a10aaaed88a69c696ce32
SHA256

640e544c960828067a6cedb824bd601e94ff11c3aa09d8077ba6c93972467b19
SHA512

4fa2516c84638a43e1ce0d1b16b44a599cdc45aac73e06ab1578a1b12bb8c285a386d8430feaef058f95deaf01abd3611a69d8140b3b2fc84d21ea0c2b1a5182
SSDEEP

6144:fqNjNoqNh3pdmR5wLciCkFFQx2EAjOBbbZ5xFdt7lbCb2OXkhU+ghYw1IOq:fqNjNYRAFFJhO5xCb2OXk6t14

Score

10^/10

cryptbot evasion spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230220-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230220-en

cryptbot evasion spyware stealer themida trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

cryptbot

C2

http://fygqwg52.top/gate.php

Attributes

payload_url
http://qatfil07.top/huckle.dat

Extracted

Family

cryptbot

C2

http://fygqwg52.top/gate.php

Targets

- Target
  
  file.exe
- Size
  
  525KB
- MD5
  
  f12995bb7df7dff1e9e017fbcfd982eb
- SHA1
  
  ee2f50603ab07f5f2f2a10aaaed88a69c696ce32
- SHA256
  
  640e544c960828067a6cedb824bd601e94ff11c3aa09d8077ba6c93972467b19
- SHA512
  
  4fa2516c84638a43e1ce0d1b16b44a599cdc45aac73e06ab1578a1b12bb8c285a386d8430feaef058f95deaf01abd3611a69d8140b3b2fc84d21ea0c2b1a5182
- SSDEEP
  
  6144:fqNjNoqNh3pdmR5wLciCkFFQx2EAjOBbbZ5xFdt7lbCb2OXkhU+ghYw1IOq:fqNjNYRAFFJhO5xCb2OXk6t14
Score

10^/10

cryptbot evasion spyware stealer themida trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

cryptbotevasionspywarestealerthemidatrojan

© 2018-2023

Terms | Privacy