cryptbot | 953f9761acd7d9a2b093225fe0b4131b85696ecd0d6fad1d504173a90829be0d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b976eb61942f5feb72dd43d6b16f0c8f.exe
Size

1.4MB
MD5

b976eb61942f5feb72dd43d6b16f0c8f
SHA1

ad11dd9fdca6c72328acb45569a2c97c24188043
SHA256

953f9761acd7d9a2b093225fe0b4131b85696ecd0d6fad1d504173a90829be0d
SHA512

5ce9d29e6956aed0b0b9f390a9df816c00ea0d5cce91af08b246b64a3ccb15c554cd7c98c2bef544282bfb0f9d547b9f1a7681d77fe62d13d943e491f06957f7
SSDEEP

24576:11SwsUHmbqGRGOxrYZd23bTDdRc7GFXy9AoXzhfD1mHN9LOVA:xsUGbqGRFyd2L/dRc7GBy9AM98HbyV

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

knufnp41.top

morumd04.top

Attributes

payload_url
http://sarfri06.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral1/memory/2636-28-0x00000000038D0000-0x0000000003973000-memory.dmp	family_cryptbot
behavioral1/memory/2636-29-0x00000000038D0000-0x0000000003973000-memory.dmp	family_cryptbot
behavioral1/memory/2636-30-0x00000000038D0000-0x0000000003973000-memory.dmp	family_cryptbot
behavioral1/memory/2636-31-0x00000000038D0000-0x0000000003973000-memory.dmp	family_cryptbot
behavioral1/memory/2636-251-0x00000000038D0000-0x0000000003973000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

pid	Process
2056	Poi.exe.com
2636	Poi.exe.com

Loads dropped DLL 2 IoCs

pid	Process
3008	cmd.exe
2056	Poi.exe.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b976eb61942f5feb72dd43d6b16f0c8f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Poi.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Poi.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2624	PING.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2056	Poi.exe.com
2056	Poi.exe.com
2056	Poi.exe.com
2636	Poi.exe.com
2636	Poi.exe.com
2636	Poi.exe.com
2636	Poi.exe.com
2636	Poi.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2056	Poi.exe.com
2056	Poi.exe.com
2056	Poi.exe.com
2636	Poi.exe.com
2636	Poi.exe.com
2636	Poi.exe.com

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2968	2676	b976eb61942f5feb72dd43d6b16f0c8f.exe	28
PID 2676 wrote to memory of 2968	2676	b976eb61942f5feb72dd43d6b16f0c8f.exe	28
PID 2676 wrote to memory of 2968	2676	b976eb61942f5feb72dd43d6b16f0c8f.exe	28
PID 2676 wrote to memory of 2968	2676	b976eb61942f5feb72dd43d6b16f0c8f.exe	28
PID 2676 wrote to memory of 1988	2676	b976eb61942f5feb72dd43d6b16f0c8f.exe	29
PID 2676 wrote to memory of 1988	2676	b976eb61942f5feb72dd43d6b16f0c8f.exe	29
PID 2676 wrote to memory of 1988	2676	b976eb61942f5feb72dd43d6b16f0c8f.exe	29
PID 2676 wrote to memory of 1988	2676	b976eb61942f5feb72dd43d6b16f0c8f.exe	29
PID 1988 wrote to memory of 3008	1988	cmd.exe	31
PID 1988 wrote to memory of 3008	1988	cmd.exe	31
PID 1988 wrote to memory of 3008	1988	cmd.exe	31
PID 1988 wrote to memory of 3008	1988	cmd.exe	31
PID 3008 wrote to memory of 1564	3008	cmd.exe	32
PID 3008 wrote to memory of 1564	3008	cmd.exe	32
PID 3008 wrote to memory of 1564	3008	cmd.exe	32
PID 3008 wrote to memory of 1564	3008	cmd.exe	32
PID 3008 wrote to memory of 2056	3008	cmd.exe	33
PID 3008 wrote to memory of 2056	3008	cmd.exe	33
PID 3008 wrote to memory of 2056	3008	cmd.exe	33
PID 3008 wrote to memory of 2056	3008	cmd.exe	33
PID 3008 wrote to memory of 2624	3008	cmd.exe	34
PID 3008 wrote to memory of 2624	3008	cmd.exe	34
PID 3008 wrote to memory of 2624	3008	cmd.exe	34
PID 3008 wrote to memory of 2624	3008	cmd.exe	34
PID 2056 wrote to memory of 2636	2056	Poi.exe.com	35
PID 2056 wrote to memory of 2636	2056	Poi.exe.com	35
PID 2056 wrote to memory of 2636	2056	Poi.exe.com	35
PID 2056 wrote to memory of 2636	2056	Poi.exe.com	35

C:\Users\Admin\AppData\Local\Temp\b976eb61942f5feb72dd43d6b16f0c8f.exe
"C:\Users\Admin\AppData\Local\Temp\b976eb61942f5feb72dd43d6b16f0c8f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Pensato.bmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^AMdmEFpRWoHLUblFdkNexZewMRUenFUCcosLAvruKxxkTVxbxfyMsOKBKfMNLiasgtdMyntUiHaZEQiRbvHpA$" Pur.bmp
      4⤵
      PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
      Poi.exe.com J
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com J
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2636
  - - C:\Windows\SysWOW64\PING.EXE
      ping IZKCKOTP -n 30
      4⤵
      Runs ping.exe
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impedisce.bmp

Filesize
756KB

MD5
6774e85a5036b42d114e8282731ef884

SHA1
7b8ad37291190fcd1e480e9147351fb0e3aae250

SHA256
b14979b2f71b712761a39bc300835b354c0978549183bb3dedb80cf83b7c6e19

SHA512
aa912ddc77076ac1e1692549954f2e274ab568e56781ffa6e95405e5737b9292a8009f75950a86c9dd897688ec200f10e01afa6e9986daf62652b2730ba0f730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensato.bmp

Filesize
433B

MD5
eb6e7349e610ab7d908e00d4bfc52310

SHA1
0f11563101bda294855630a89e8cb660af6a1fb1

SHA256
88e27432de862cfaab0acff8e1b3566c6ba72a1ef79ce106d609ca7789bc8e29

SHA512
19a5ba95f337ad2036b35001ccd2fad581795eddc9263f7500ac393c1eec7f72efb6835144fb08554fde25d6edc927bde31fa68113ca2a2c72f23a87408906fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pur.bmp

Filesize
872KB

MD5
979c40fbb41662ab269cc7385e70872e

SHA1
31161970c8a46ce8cea56877b031f585be647783

SHA256
f10282b85d47762caf80ca3c65e7ce75acef6e4bc3e908d7a06d40c764dfa6fd

SHA512
0495c869e6bf136e577b71ad76bb5b42fb814dd1a7be398e8497ccdf9e9d76f77b7615deab8df08eb06d111a2c9ce4be6a6d5a740573a28e336be24930db108d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uno.bmp

Filesize
634KB

MD5
0fa2eddeaa5114ccbcd6c99a1dc04573

SHA1
27c4658012ee24ee594cae74c04e390ae2d36f64

SHA256
9c01c8ea750915da7e8dccd1f72fcce7a0788568cea75789f6dc628d25285144

SHA512
59ba5d39796f092815c459bd406cac6b64cee8cb4d5363a1b5c74bb428a7e784c2b18727ac9cc65fb8c7ddd3b4a2f08e698f2d6935a50cb94a3764963a652418

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\_Files\_Information.txt

Filesize
1KB

MD5
62b68c41120fc8935590bb7658e0e4e3

SHA1
fd781c8c927a3350b8df163b92dc5691727a1019

SHA256
d6b1b636adffc2753f1dfe9ad2574fa275cb684664e0530642df77d2cacf1d59

SHA512
0f53a4cdbe7108f057a26a712d828fc9cc44657cecad992dcc1d1e53b92bb05a0ef2e1c3ac1b4d46fe154028b44b6a632bf89a8899a1aaa389d8aa91c43a8826

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\_Files\_Information.txt

Filesize
3KB

MD5
e80068eee99e596270b7334e06195d16

SHA1
5f6c7be6e5aaa32b3c92930d076a888283d08b94

SHA256
36c996fd6d50105e096f483f1d3ecfa2a9b249c80b6c0f6079815a918901ef68

SHA512
281c199a5a362106272d2f4d92a2b19000d5e0a36b8a02a89c9272871ea4b585b8f7982451afb08b3d943b0512f2c39f27324d35eb344a2ad819832e3b13d8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\_Files\_Information.txt

Filesize
3KB

MD5
ccde098de831d3d53158cf53d4b36d0d

SHA1
bfbbbefd25e3a178dd2cb22dbed1f6adeacab76c

SHA256
fa920b0ea6f9f867ba72d5d1758843ce47c299bc11eea69a1f3002a0d23cc34a

SHA512
1f89ea234de6da0a21ec0e5104e82608176f1d81e633c92165aff303f661765123799586bfb2765440543f8762f71a759d40a88a390cce8a97b3b10e2e4bd707

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\_Files\_Information.txt

Filesize
4KB

MD5
9ca18d7cc1f43a7a47994e4316491f0b

SHA1
81e27e7c211d4414f0fd52f5770a57442820bdfc

SHA256
2cfe69db2f5fc967532cc08d365a3594fbdf2e942083912b3a07139b2a1e5bae

SHA512
6c62e8d7fe228fb0ecd63fcca8db46078f39e2203fd6e65b724206f21a6a10ab125599c51906745e4ba85efe45120ce2246f2052d0dea72c48bbc32089d106d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\_Files\_Screen_Desktop.jpeg

Filesize
43KB

MD5
ef65f7b01282ed1ef092638cbdd26629

SHA1
5db6fbeb653b0573f3fad9e7fd79e74d3e66f851

SHA256
411048a270d743976d7b4f80cd4b5902e0098ef30b2e7753ac1e9336e6f1ae0e

SHA512
0884241b9a895356a7b696b2126b3dac5465a1ad08091d6c431adc248559dc17a3c56531014ea4c13027126e61732a09cec6abf1a7901d7895f06e446dafe853

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\files_\system_info.txt

Filesize
1KB

MD5
c336d79eefd442960ebbddbe337e953d

SHA1
1c5074f793bd162768a62097ebb92066e90887ee

SHA256
9cd44e88c66299ed787fb80db60ec6eff290bb2537ce090242c33244b6ce2309

SHA512
cf1879e39b1032a864affe12c61ce407dd5b57bbbc99bcdac5fe7bb5a0bc4630e43c6939f685a669ef100705c8c4912271311dd0e93c93520556ac3288705992

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\files_\system_info.txt

Filesize
3KB

MD5
203ae57ed2e12f3bd40e96bcefada6aa

SHA1
c9674e7db1205f0f1f0ea2277e7d81786a1be6df

SHA256
ad87052dd5feab94010eef538549df62575b1021c7310e1bd971ee9ba3037791

SHA512
b31f9cc1fe8a8fe57895e33ef392af01b636a218ba53049a30c72ab1b8ee4396db0b44a230ee839251220d05534f798ecb842b879c5a1efadc400e2265519082

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\files_\system_info.txt

Filesize
3KB

MD5
02c324a1a80d466c45309d783e092808

SHA1
bf59c57377b3ae4b3e695dd19a15d523a184f65a

SHA256
a440e14694b0241c2ae25ab9eefc44199f5f464941f924d51b38116719f4a2a2

SHA512
7c1a09e06ceecb866fbcd35fb27b6ca2126178c2c1b0acdcaeb816b1c041aad52fdbd21dd6228170fb3f6f23acb2b1c786b54deba5048f58ac632b1736001b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\files_\system_info.txt

Filesize
4KB

MD5
2488e1a7e70c8cf295fd71bdd99aaf1d

SHA1
5354f8900f40ac6bd007989f89285a3ff88f6ca1

SHA256
5601b8db1bc085d00bd271523d11d309ed79bff0604c71091d0e495806a01072

SHA512
320ccf982b81dbbbbda90e6645e847da86cf6f40a366c4e2d8adab476b1ee3547e397383f13cfeebd5e084c5ad368a5c9eb7d90d9ebc9f6bfe08b63c49af0578

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePxfK6mJ\w6DeELSARukc.zip

Filesize
35KB

MD5
a6069703e1918d522c22f2b72b91f0d6

SHA1
35ce4f55ba70c612f726ee08a360111b8a419b8d

SHA256
db836e6a46ded9fd0cc21c9e2fac4974f9a992c79ffa43801e169afedae0f31a

SHA512
632aa3017529940ff54f757d85a115c19ddcbd5da972f989cb6a262dc646d3dc2adfa39fb0cb261e1565826a1e9e25612bd3960ea34807c17ab8db137ec748f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2636-25-0x00000000038D0000-0x0000000003973000-memory.dmp

Filesize
652KB

Download
memory/2636-32-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2636-31-0x00000000038D0000-0x0000000003973000-memory.dmp

Filesize
652KB

Download
memory/2636-30-0x00000000038D0000-0x0000000003973000-memory.dmp

Filesize
652KB

Download
memory/2636-29-0x00000000038D0000-0x0000000003973000-memory.dmp

Filesize
652KB

Download
memory/2636-28-0x00000000038D0000-0x0000000003973000-memory.dmp

Filesize
652KB

Download
memory/2636-27-0x00000000038D0000-0x0000000003973000-memory.dmp

Filesize
652KB

Download
memory/2636-26-0x00000000038D0000-0x0000000003973000-memory.dmp

Filesize
652KB

Download
memory/2636-251-0x00000000038D0000-0x0000000003973000-memory.dmp

Filesize
652KB

Download
memory/2636-252-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2636-24-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads