cryptbot | 953f9761acd7d9a2b093225fe0b4131b85696ecd0d6fad1d504173a90829be0d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b976eb61942f5feb72dd43d6b16f0c8f.exe
Size

1.4MB
MD5

b976eb61942f5feb72dd43d6b16f0c8f
SHA1

ad11dd9fdca6c72328acb45569a2c97c24188043
SHA256

953f9761acd7d9a2b093225fe0b4131b85696ecd0d6fad1d504173a90829be0d
SHA512

5ce9d29e6956aed0b0b9f390a9df816c00ea0d5cce91af08b246b64a3ccb15c554cd7c98c2bef544282bfb0f9d547b9f1a7681d77fe62d13d943e491f06957f7
SSDEEP

24576:11SwsUHmbqGRGOxrYZd23bTDdRc7GFXy9AoXzhfD1mHN9LOVA:xsUGbqGRFyd2L/dRc7GBy9AM98HbyV

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

knufnp41.top

morumd04.top

Attributes

payload_url
http://sarfri06.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral2/memory/4824-25-0x00000000047E0000-0x0000000004883000-memory.dmp	family_cryptbot
behavioral2/memory/4824-26-0x00000000047E0000-0x0000000004883000-memory.dmp	family_cryptbot
behavioral2/memory/4824-27-0x00000000047E0000-0x0000000004883000-memory.dmp	family_cryptbot
behavioral2/memory/4824-28-0x00000000047E0000-0x0000000004883000-memory.dmp	family_cryptbot
behavioral2/memory/4824-242-0x00000000047E0000-0x0000000004883000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

pid	Process
3860	Poi.exe.com
4824	Poi.exe.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b976eb61942f5feb72dd43d6b16f0c8f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Poi.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Poi.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1884	PING.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3860	Poi.exe.com
3860	Poi.exe.com
3860	Poi.exe.com
4824	Poi.exe.com
4824	Poi.exe.com
4824	Poi.exe.com
4824	Poi.exe.com
4824	Poi.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3860	Poi.exe.com
3860	Poi.exe.com
3860	Poi.exe.com
4824	Poi.exe.com
4824	Poi.exe.com
4824	Poi.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4488	624	b976eb61942f5feb72dd43d6b16f0c8f.exe	88
PID 624 wrote to memory of 4488	624	b976eb61942f5feb72dd43d6b16f0c8f.exe	88
PID 624 wrote to memory of 4488	624	b976eb61942f5feb72dd43d6b16f0c8f.exe	88
PID 624 wrote to memory of 4764	624	b976eb61942f5feb72dd43d6b16f0c8f.exe	89
PID 624 wrote to memory of 4764	624	b976eb61942f5feb72dd43d6b16f0c8f.exe	89
PID 624 wrote to memory of 4764	624	b976eb61942f5feb72dd43d6b16f0c8f.exe	89
PID 4764 wrote to memory of 3280	4764	cmd.exe	91
PID 4764 wrote to memory of 3280	4764	cmd.exe	91
PID 4764 wrote to memory of 3280	4764	cmd.exe	91
PID 3280 wrote to memory of 2540	3280	cmd.exe	92
PID 3280 wrote to memory of 2540	3280	cmd.exe	92
PID 3280 wrote to memory of 2540	3280	cmd.exe	92
PID 3280 wrote to memory of 3860	3280	cmd.exe	93
PID 3280 wrote to memory of 3860	3280	cmd.exe	93
PID 3280 wrote to memory of 3860	3280	cmd.exe	93
PID 3280 wrote to memory of 1884	3280	cmd.exe	94
PID 3280 wrote to memory of 1884	3280	cmd.exe	94
PID 3280 wrote to memory of 1884	3280	cmd.exe	94
PID 3860 wrote to memory of 4824	3860	Poi.exe.com	96
PID 3860 wrote to memory of 4824	3860	Poi.exe.com	96
PID 3860 wrote to memory of 4824	3860	Poi.exe.com	96

C:\Users\Admin\AppData\Local\Temp\b976eb61942f5feb72dd43d6b16f0c8f.exe
"C:\Users\Admin\AppData\Local\Temp\b976eb61942f5feb72dd43d6b16f0c8f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Pensato.bmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^AMdmEFpRWoHLUblFdkNexZewMRUenFUCcosLAvruKxxkTVxbxfyMsOKBKfMNLiasgtdMyntUiHaZEQiRbvHpA$" Pur.bmp
      4⤵
      PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
      Poi.exe.com J
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com J
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4824
  - - C:\Windows\SysWOW64\PING.EXE
      ping SLVJLBBW -n 30
      4⤵
      Runs ping.exe
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impedisce.bmp

Filesize
756KB

MD5
6774e85a5036b42d114e8282731ef884

SHA1
7b8ad37291190fcd1e480e9147351fb0e3aae250

SHA256
b14979b2f71b712761a39bc300835b354c0978549183bb3dedb80cf83b7c6e19

SHA512
aa912ddc77076ac1e1692549954f2e274ab568e56781ffa6e95405e5737b9292a8009f75950a86c9dd897688ec200f10e01afa6e9986daf62652b2730ba0f730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensato.bmp

Filesize
433B

MD5
eb6e7349e610ab7d908e00d4bfc52310

SHA1
0f11563101bda294855630a89e8cb660af6a1fb1

SHA256
88e27432de862cfaab0acff8e1b3566c6ba72a1ef79ce106d609ca7789bc8e29

SHA512
19a5ba95f337ad2036b35001ccd2fad581795eddc9263f7500ac393c1eec7f72efb6835144fb08554fde25d6edc927bde31fa68113ca2a2c72f23a87408906fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pur.bmp

Filesize
872KB

MD5
979c40fbb41662ab269cc7385e70872e

SHA1
31161970c8a46ce8cea56877b031f585be647783

SHA256
f10282b85d47762caf80ca3c65e7ce75acef6e4bc3e908d7a06d40c764dfa6fd

SHA512
0495c869e6bf136e577b71ad76bb5b42fb814dd1a7be398e8497ccdf9e9d76f77b7615deab8df08eb06d111a2c9ce4be6a6d5a740573a28e336be24930db108d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uno.bmp

Filesize
634KB

MD5
0fa2eddeaa5114ccbcd6c99a1dc04573

SHA1
27c4658012ee24ee594cae74c04e390ae2d36f64

SHA256
9c01c8ea750915da7e8dccd1f72fcce7a0788568cea75789f6dc628d25285144

SHA512
59ba5d39796f092815c459bd406cac6b64cee8cb4d5363a1b5c74bb428a7e784c2b18727ac9cc65fb8c7ddd3b4a2f08e698f2d6935a50cb94a3764963a652418

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzKGExqrRE40\_Files\_Files\JoinUnlock.txt

Filesize
960KB

MD5
48a6b6389c5765b2aa7475bcd8c74d83

SHA1
25f10f1f37cfd29b3e53bb61aed386a8bd8c7786

SHA256
5a32572f08f1edf52c296244396d3f689640ca0ff62cc93ec51bd64844db8133

SHA512
c860e115745e16bed5dd81cd4eca516cafbe54bf533756810a6bba0e7265c33d2b552c81bee43e37baa4812326bb616660b919dbeb03f26c8d64b8384f73c9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzKGExqrRE40\_Files\_Information.txt

Filesize
1KB

MD5
50cf031d080eef04570e9b27f0663a3c

SHA1
3efcdd2cfb0e911b9584709a65d67b813e0dc891

SHA256
c829c47507f3ebb44e21fee4897bd53491a42577e4f8768eee0525d5d606e448

SHA512
6837dcb2e76705dac7340583e7ba47c1b03168387f793ebba0c88f4edc02b47fdc861898e77bd02538fdf6d07dbd0cae6cad8901432c2d59403e28fd158bdba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzKGExqrRE40\_Files\_Information.txt

Filesize
4KB

MD5
fa2d68c84bcaa07c1a77efd7746d1fdf

SHA1
c02276f2aea66312625c8faeedd625136d1bf5b6

SHA256
9d075292955fe33e1bfd2651cfaec62e0c200fcebb444d4bbffdd72899f0c96d

SHA512
cea456aef83c96346ca1baabbfbd017c2035980e8875216759a0288ea188cc24daa6a47b283be101177a15fcc9c05f6743aa912c9eec70c42c9a74b673a911ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzKGExqrRE40\_Files\_Screen_Desktop.jpeg

Filesize
48KB

MD5
2f6ecf9575372eb38dbfa02ae9cfba78

SHA1
95ef49d06cca16f8adcff3931e86b07298a72854

SHA256
c0de1494922e637f641d7334235655c3ed9cb704fc5fa3257d5aaaddb38d947b

SHA512
dc9d45f65f9bfd7ab559a05fbc9a32c43bfc6bc9546390e28604069c6c866c0fdc56b3ed8a25be48d9705d99c64d686ea20511e06b6a1dfc29e8312001f0d9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzKGExqrRE40\files_\system_info.txt

Filesize
690B

MD5
9dfe3e8a18a0d75bd5dca660827eed53

SHA1
8db136ab70a9ec9c478bba9fade36f528f397659

SHA256
3eddf6c12e8c563d9c24d74d3137868558618bfd247b4030a768eef5ce7fb670

SHA512
4050a28560feee0d3fa3bddf7f01b032d7317b4b64bdabf57378066b8f63e18a90afed772bbaff0007beae3ff4f218a8daed810e0ad2dbfeee779a096574f8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzKGExqrRE40\files_\system_info.txt

Filesize
7KB

MD5
93ceffc75b06b2f7d58c1c5ece01f9a9

SHA1
282d9ff1a36c4b5957b9f4f8f0a34d54fd406236

SHA256
c8fcce320989a9df19ddea09f2986db6e5f6ca3e827cd8310030bd83d2d9d5e8

SHA512
f8efaa48171665e6077d6b2c812606420dd331b11ec96538b9076bc50ba35949f2ffaa84226539dd5d3386d0d74621fd38828ee232653e58f73b790c7745b3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzKGExqrRE40\n0jFEKgwuR5jwn.zip

Filesize
1003KB

MD5
1d2926e71861124f15ef9efed7df68da

SHA1
21d75bdcd130e79e2207d2419f4693444746c370

SHA256
ac84859460281caa6ff658d4b5e8bb17e81e700f5055ed7db686f8bd4132b776

SHA512
48f179e4cb8043060def5e04989f904f2e370d32d4e64d889605d38ba56b88be4f90a813bf737204a6fe49e3a77a6fae2c17b4425aaa1e46800a6a6bd158976a

Download Submit
memory/4824-21-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4824-28-0x00000000047E0000-0x0000000004883000-memory.dmp

Filesize
652KB

Download
memory/4824-27-0x00000000047E0000-0x0000000004883000-memory.dmp

Filesize
652KB

Download
memory/4824-26-0x00000000047E0000-0x0000000004883000-memory.dmp

Filesize
652KB

Download
memory/4824-25-0x00000000047E0000-0x0000000004883000-memory.dmp

Filesize
652KB

Download
memory/4824-24-0x00000000047E0000-0x0000000004883000-memory.dmp

Filesize
652KB

Download
memory/4824-23-0x00000000047E0000-0x0000000004883000-memory.dmp

Filesize
652KB

Download
memory/4824-22-0x00000000047E0000-0x0000000004883000-memory.dmp

Filesize
652KB

Download
memory/4824-242-0x00000000047E0000-0x0000000004883000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads