cryptbot | 8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9

General

Target

8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
Size

795KB
MD5

1378addc7c016581bb0f76dc32d0af61
SHA1

35d7f0d9aa6893e4c90a7c1552568f5c27e1b638
SHA256

8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9
SHA512

fba542b033428f2c1badf75a017c6df1d108af5dcccaddc6c90f993f193c45471b985993190106baecba5a29254298fba4cceab5d8df7ebda44fa38f5c6b4bab
SSDEEP

12288:UCGDA23V1NyXsLdc2gJMKYWBpX6FKVEuZFhTbgnQjMJiWA2kN3R9ldtwjAPH:7GDl3kXsDZupEu31bgnQYu2kN3xdthPH

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

http://ewzvpq52.top/gate.php

Attributes

payload_url
http://biriuv07.top/tarefa.dat

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4136 set thread context of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4656	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
4656	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84
PID 4136 wrote to memory of 4656	4136	8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe	84

C:\Users\Admin\AppData\Local\Temp\8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
"C:\Users\Admin\AppData\Local\Temp\8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
  "C:\Users\Admin\AppData\Local\Temp\8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe"
  2⤵
  - Maps connected drives based on registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\76F0.tmp

Filesize
32B

MD5
bc8f87470596daf0d93976daf3ea0138

SHA1
8d95a828ce42c87b0427c0a59dfab2291c493762

SHA256
4611793c20d45a907ee3ad40bd7f40da8aa2449a3b13f63113d55f248d928b86

SHA512
7a38a2e0585d423c42a3b7fb5143bfe503100ee29532bfcc13bd19820942349c013d5e17ddfd9b010b5c9df7b81cd1be65a7fd7b3fb3419004689f0e1cbe6662

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BB7.tmp

Filesize
71KB

MD5
dc2b0f48d8f547d5ff7d67b371d850f0

SHA1
84d02ddbf478bf7cfe9ccb466362860ee18b3839

SHA256
0434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890

SHA512
3470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9006.tmp

Filesize
2KB

MD5
dd7a4110e2dc0760efdd47ee918c0deb

SHA1
5ed5efe128e521023e0caf4fff9af747522c8166

SHA256
550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084

SHA512
c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc

Download Submit
memory/4656-133-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4656-134-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4656-135-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4656-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4656-197-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4656-234-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4656-235-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4656-236-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads