cryptbot | 37592e4c0b1ed1f83461dc3c76091a60a76bd527026ee5563bc0ea7da02771f5

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

2.2MB
MD5

5eb17e5dffb7b83860fd650aa83d287a
SHA1

a94f2e71df2d64c2a183355c04660c485c7bd35b
SHA256

7fedad524e84d0d632b6cbf7ce6203531ef113894a0f78539ba41752c955e287
SHA512

8aced1ecc6936e91a1332aafedac23b630a86a107bddfb7e1bc6553cefe7ed2b26b869f0043f02fe28476044c742212c80d03f45324df43c7d5f2e47c7f95069
SSDEEP

49152:RuVVoL/ZQ5oKxqtzDg5t0F6bEM/VcJLY7N6uNr0sJRCFhKqhQNY/f9sZfi/ZqAv:Rzy+PIt1Es+LY7guNginN+f4fi/ZqAv

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

biss03.info

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	Setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1708	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1708	Setup.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe
1708	Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IKk45ury\47283761.txt

Filesize
148B

MD5
c672c5ffd1a94b729484cc279d2a8a93

SHA1
3e3ce8ad41d3ffe36d461a21ded8fead5d11e88b

SHA256
087e2c68049f6d81393d62c9fbca232111ec9e0411f5cc9ab1e718475581eaea

SHA512
969821c1ea8ae7b400e0e603326a3eb76ad22c21572a12b34e50f97f174f53456e937872c1a5980f7401d702c56c00ec0c5fa4d9cdc38b7d2c6200037f12aae3

Download Submit
C:\ProgramData\IKk45ury\Nh3JNemNf.zip

Filesize
42KB

MD5
7c39497a28c20725409a7c3a055ce8ab

SHA1
ecc0c2fe6ebfbce03933ff46a89e828c31a4b44a

SHA256
038a5f0585c80aad17a0688f4665e4ecada19dac8683044cf704fbf422bfef09

SHA512
609409361d9d43f1e1d7bde7bc71736bec85dcbdc674d6f0bbc204522e208bc3543076d7bb9f59e6f1313f2939ef693e94e44ee74783f926f1b7c1d0d1623368

Download Submit
memory/1708-50-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-78-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-6-0x0000000000391000-0x00000000003F0000-memory.dmp

Filesize
380KB

Download
memory/1708-5-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1708-4-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/1708-17-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-52-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-18-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-21-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-2-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/1708-42-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-40-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-47-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-48-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-82-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-14-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-3-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1708-53-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-55-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-1-0x0000000077C70000-0x0000000077C72000-memory.dmp

Filesize
8KB

Download
memory/1708-57-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-59-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-62-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-64-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-66-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-69-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-71-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-73-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-75-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-49-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-80-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download
memory/1708-0-0x0000000000390000-0x00000000008D6000-memory.dmp

Filesize
5.3MB

Download