cryptbot | 0ebd6fcc7ab83bc44c14457c54b90674bfc40fbcc8af8154a1b3e240b96c665c

Analysis

max time kernel
3s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

213147990af1e09de2b30611d38b75d9.exe
Size

574KB
MD5

213147990af1e09de2b30611d38b75d9
SHA1

6b8a643c9abd57c2a2e229444b77fd1c50bc2f6d
SHA256

0ebd6fcc7ab83bc44c14457c54b90674bfc40fbcc8af8154a1b3e240b96c665c
SHA512

1dc46b87314b225dac565405ed6760418c60c5efb2d698c21858c29a605c5095b8be20cc7b1f5e65e70086224a498ba35937d215d96c1387f6ebb7e068bc95e0
SSDEEP

12288:wsIC3py6OpyvRkv2Kcixakyh9O0bmp52vwXljd2c4eXqcB8woO:Skpopyv2v2KcickakfjdyeXo

Score

10^/10

cryptbot spyware stealer

Malware Config

Extracted

Family

cryptbot

hairdx22.top

morqoi02.top

Attributes

payload_url
http://zelpdo03.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

resource	yara_rule
behavioral1/memory/2528-2-0x0000000000220000-0x00000000002C0000-memory.dmp	family_cryptbot
behavioral1/memory/2528-3-0x0000000000400000-0x0000000002CC7000-memory.dmp	family_cryptbot
behavioral1/memory/2528-221-0x0000000000400000-0x0000000002CC7000-memory.dmp	family_cryptbot
behavioral1/memory/2528-225-0x0000000000220000-0x00000000002C0000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	213147990af1e09de2b30611d38b75d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	213147990af1e09de2b30611d38b75d9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2528	213147990af1e09de2b30611d38b75d9.exe

C:\Users\Admin\AppData\Local\Temp\213147990af1e09de2b30611d38b75d9.exe
"C:\Users\Admin\AppData\Local\Temp\213147990af1e09de2b30611d38b75d9.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\_Files\_Information.txt

Filesize
1KB

MD5
880397982444697de3d34f23dec5d8dc

SHA1
ff656dde221a52de0b407cc3084120183e9a2491

SHA256
c5c3b18a386222698be9f83887da2094d63f18a31fb6cf5cb5219b66f4993cba

SHA512
4fb018ab0246c4723cd815ee5cde87392992c39897468b3e2e3f0f7b2630e6d52d88ace7bfbc523e00bf11305d8a7ec1c801d15a529a00fc344c6f4c860b874f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\_Files\_Information.txt

Filesize
3KB

MD5
b9c6f384152e24ededa89ee123551553

SHA1
370453dcf1d3aecda27e0cc04f3827e2e1b4b9c5

SHA256
afbdd9c32a06895e4d521f5ad813d0e839698ae1c5edcccca2c567448fcad154

SHA512
efd357bda25e853fd1460b3df3c4b39263f867f0b9c9814cbd74bd8a2f149238bc6fe2d2822c080bdfcc1a72540a8e44aa80620e235e484346c95cfa503b9332

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\_Files\_Information.txt

Filesize
3KB

MD5
fdd429d81eb1f2c6fe3e58285a9b7aca

SHA1
d763f9f26c23ae1dbc368b0c577fd956d38c3474

SHA256
f7c20167f0c10aed6acf70e47443b9ef157e6c062a75384a31e14b14d6194d0d

SHA512
3abc0b5c804c28e877e0f4dd0685b27db8f311b087d58bca32fe4e57b181302dc04a7b1169860a124975f505f948c74e80b5363948d332a085026cc0e0e073ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\_Files\_Information.txt

Filesize
4KB

MD5
772cb25fe0792a4562215d49bd74d095

SHA1
5cbca78190dc1df227837d922d1b8a4b4fc6ec9b

SHA256
bb5012f56a376e50815076cd824be4a3ca45f3cf4b4d4931b3c85d65de92f88d

SHA512
084ad062185c3182dbd7aeee821cb195f9e883f80b2bbeeec8fa36bfe35654eb06becb3253a9fa0720cadd7e0cc2fcf5f4ed2a0ada62cce5580a1b0ba26cf5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\_Files\_Screen_Desktop.jpeg

Filesize
46KB

MD5
8b35790d1350f7b597d9c46858ef113a

SHA1
55117c42e3762c65f74f4e855754e96795e82cad

SHA256
4282f30ffeb9744c09555ba3a34e1472fc2d33a753a22c281a8b66ea6b036b6e

SHA512
e34c4de5c10cc78ca074a5b47e67bdf4b76f149295e05a82020575a0648a62ec11f1782819c51cd7f07814210da3bc7c8cf82d3fc84652b3b0d46d911c0efd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\al3SaiesF8YEsi.zip

Filesize
39KB

MD5
1780deeb01b48856e31ff9774c1a41d2

SHA1
6e23dc5db3fe41ae0806fcef885bccef353e03a9

SHA256
60c33b2a4a1e0c5cacf3d1b02f10a65be477095a7b0f58a4409b05de97f0b9c7

SHA512
268ddfd997cadde55e3bb1d40679c0c907da4f6fd2bd32870b9f78fabe25a3495e99a8173ef7d95e7c9aa7b71fd3b5d06b5110fff3e3aa65f404766e9a29b547

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\files_\system_info.txt

Filesize
1KB

MD5
246719831df7b19b20b4aeda6bf3a6f1

SHA1
f40cfb847c288f6988539d4d3f443978b85749d4

SHA256
fb8bab782d99d8c8bb151f6163dac26d5aaa61452aac5d2f7cec49b51fd3bed9

SHA512
427b42e75d7182ff467b33e9ac8ad1a137621dbd6bd3dfb2db5a7c0a7cef7ee8dec7903602140b8da99827e2634e255d8655d85e1b600f8da11eec05090dbe28

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\files_\system_info.txt

Filesize
1KB

MD5
25b202070c2cbf4c492bae40914340c6

SHA1
32b2a42114d330683b4d5c8fee40fb1141b7e378

SHA256
550c0f93094ea8ef772e3894469ee9510ad12032f5f9e4573ece5757a16b06cf

SHA512
0226fc285e575c7bba4041134979e2596cb0d5116fa40642c36de4f5fb00d0ae9656dd7a23fbbe603b34af3068cdd57ac91557d1484b543ddba38d7d577b4f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\files_\system_info.txt

Filesize
2KB

MD5
4f96bd1d08dbd18f3910f3d8a52ec856

SHA1
a9219c024e64ef025589e6ea10e13b879feecfcc

SHA256
fd29ade92f6ffd290a22cd222f18ecd4cab09b49adefab42c1f4231c0aac176d

SHA512
6dde254cecd8cb9cfc77d9810d550c69e8fa2f0d4da35c202343f30bbe29749c03b4ff76a0b3ef29c633e864b9b6f226bd42908531bbd68e7126da7820cf860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\files_\system_info.txt

Filesize
3KB

MD5
96a62a9601ca5896e71b8d7459eea4e8

SHA1
bc0d170d8a8cec4a0d956cff2d7b995902bf9340

SHA256
2c27bb136968d8b2fe632426a27db94dc32ce90d81f078b35cfaea34fcd4a59d

SHA512
c9d393aca665b56991dfc7da22f249b2862747bcd24d2e3691fafdbe42ca717d172959faece2ea0530b7e51bce0382e9bb2c97edbd12d74de3f08166f066e384

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\files_\system_info.txt

Filesize
3KB

MD5
64f59fea53485f653c5ae39490d7a87b

SHA1
f9a4b36345cec25694dc2072929f94447f910b14

SHA256
19c1b0c70b994d2c185fb6f1e59d8bf6b3404788e52e5ec729b106922e873509

SHA512
81138ace643cbe6958517ed0943ba796688a516f40298d1394e0d30fb5b9747cdfe32dce2bc58fa91ef0676fcc9d30a14906a983202673215f1fe1156a696323

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKBVA0UJz\files_\system_info.txt

Filesize
4KB

MD5
7bdf98e4e046e8c021be483ab437202c

SHA1
2cb21f2e09ffdc956de76ff69d8d364a57d7f364

SHA256
79c8459a74f9c52e583317847cf3b94f3753db4dcbaea354a388898ba15c2b9e

SHA512
6f0542a2f54f625d76fb81d0c03962743ed51a9c669b108862062387d8ff26de0fa4821a0f393d6b5d9948926e6db5fa1d39efcc6608edccb8bf7ce37162a886

Download Submit
memory/2528-4-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/2528-2-0x0000000000220000-0x00000000002C0000-memory.dmp

Filesize
640KB

Download
memory/2528-3-0x0000000000400000-0x0000000002CC7000-memory.dmp

Filesize
40.8MB

Download
memory/2528-221-0x0000000000400000-0x0000000002CC7000-memory.dmp

Filesize
40.8MB

Download
memory/2528-225-0x0000000000220000-0x00000000002C0000-memory.dmp

Filesize
640KB

Download
memory/2528-224-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

Filesize
1024KB

Download
memory/2528-227-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/2528-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

Filesize
1024KB

Download