cryptbot | 7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8 | Triage

Submit
Reports

Overview

overview

Static

static

1

ecb1af6d6c...18.exe

windows10-2004-x64

Sharing

General

Target

ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118
Size

1.6MB
Sample

240411-fc85aafg4x
MD5

ecb1af6d6c9818c93ffb5c9a54ea9a8a
SHA1

c74e20b6423d7536429ff8593c45ab6b999e473b
SHA256

7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8
SHA512

4f5f1276b260face9b05a1c51eca4ec2d277303ffba6208ead7ed901299555705de8b50cff4dca4f2bd874d756e41a813503943c415e528d28607327b079037d
SSDEEP

49152:1YNosFaoyKxdY4nT+kWQZQtZOby7D/YPBVQ3IBbiLoSG:1K5a6dJPWQQtZO2PmBVQ3I1iLoZ

Score

10^/10

cryptbot discovery persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe

Resource

win10v2004-20240226-en

cryptbot discovery persistence spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

cryptbot

Attributes

payload_url
http://ewsjasew03.top/download.php?file=lv.exe

Targets

- Target
  
  ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118
- Size
  
  1.6MB
- MD5
  
  ecb1af6d6c9818c93ffb5c9a54ea9a8a
- SHA1
  
  c74e20b6423d7536429ff8593c45ab6b999e473b
- SHA256
  
  7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8
- SHA512
  
  4f5f1276b260face9b05a1c51eca4ec2d277303ffba6208ead7ed901299555705de8b50cff4dca4f2bd874d756e41a813503943c415e528d28607327b079037d
- SSDEEP
  
  49152:1YNosFaoyKxdY4nT+kWQZQtZOby7D/YPBVQ3IBbiLoSG:1K5a6dJPWQQtZO2PmBVQ3I1iLoZ
Score

10^/10

cryptbot discovery persistence spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot payload
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cryptbotdiscoverypersistencespywarestealer

© 2018-2024

Terms | Privacy