cryptbot | 37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
Size

7.1MB
MD5

4e727fa44f217c2ff6317d48e04b8ee2
SHA1

1e69bae37d222408dc0764e0b1f02235cece6e16
SHA256

37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b
SHA512

5a7ae5fb1c1bf37f388e34e2416a21bb9880470eebf4e7e8119966a25c0c2c2317c2fcf538f51c4cc318670076e4e11b8b3f5a43c6ccef4f4d966a94579af3f9
SSDEEP

196608:ENbjuEpiQTj6V0teQZ/zy61OGpaeTyK/YQnDORN8:CPuEpmEJ5z5Om/5Dx

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
behavioral1/memory/1644-31-0x0000000069CC0000-0x000000006A377000-memory.dmp	family_cryptbot_v3

Executes dropped EXE 5 IoCs

pid	Process
1604	VC_redist.x64.exe
1644	VC_redist.x86.exe
2604	service123.exe
2036	service123.exe
1844	service123.exe

Loads dropped DLL 13 IoCs

pid	Process
1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
1644	VC_redist.x86.exe
1644	VC_redist.x86.exe
2604	service123.exe
2036	service123.exe
1844	service123.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VC_redist.x86.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VC_redist.x86.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1604	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	30
PID 1764 wrote to memory of 1604	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	30
PID 1764 wrote to memory of 1604	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	30
PID 1764 wrote to memory of 1604	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	30
PID 1764 wrote to memory of 1604	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	30
PID 1764 wrote to memory of 1604	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	30
PID 1764 wrote to memory of 1604	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	30
PID 1764 wrote to memory of 1644	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	31
PID 1764 wrote to memory of 1644	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	31
PID 1764 wrote to memory of 1644	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	31
PID 1764 wrote to memory of 1644	1764	37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe	31
PID 1644 wrote to memory of 2604	1644	VC_redist.x86.exe	33
PID 1644 wrote to memory of 2604	1644	VC_redist.x86.exe	33
PID 1644 wrote to memory of 2604	1644	VC_redist.x86.exe	33
PID 1644 wrote to memory of 2604	1644	VC_redist.x86.exe	33
PID 1644 wrote to memory of 2688	1644	VC_redist.x86.exe	34
PID 1644 wrote to memory of 2688	1644	VC_redist.x86.exe	34
PID 1644 wrote to memory of 2688	1644	VC_redist.x86.exe	34
PID 1644 wrote to memory of 2688	1644	VC_redist.x86.exe	34
PID 2012 wrote to memory of 2036	2012	taskeng.exe	37
PID 2012 wrote to memory of 2036	2012	taskeng.exe	37
PID 2012 wrote to memory of 2036	2012	taskeng.exe	37
PID 2012 wrote to memory of 2036	2012	taskeng.exe	37
PID 2012 wrote to memory of 1844	2012	taskeng.exe	38
PID 2012 wrote to memory of 1844	2012	taskeng.exe	38
PID 2012 wrote to memory of 1844	2012	taskeng.exe	38
PID 2012 wrote to memory of 1844	2012	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe
"C:\Users\Admin\AppData\Local\Temp\37671a3f18319af486ebfd7d1861d335056ae458df383312413590aba4e1e71b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\service123.exe
    "C:\Users\Admin\AppData\Local\Temp\service123.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2604
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2688

C:\Windows\system32\taskeng.exe
taskeng.exe {87169A6F-759C-4C3C-8F2B-BC2595BF6660} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe

Filesize
24.8MB

MD5
d4e9110a79a775bab4fae156188884b3

SHA1
49d807fe50e30d9fd53954d02a4366f0a5c884d2

SHA256
6c3cf7fb373bc44421009cf2f651efe5ba589b59884f33b3a5e0351729fe8cef

SHA512
a14c04f33e29b6335223eb2ae8d9efe041d5ba5c994bc9ac338f1132ec39256873501a65bb43704118399946e592030f0cef4ed523d86c55d63097294af6182b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe

Filesize
7.2MB

MD5
52cca4535026d44d04230373590f57fa

SHA1
10c8b3e51a71d8adca731b985c34163a320b32c4

SHA256
ac35fc427952d4a283f69a51c9a166e61bc72072177f6aabbee5a62fe9ece2a0

SHA512
54233882c2a8e7ed26d649527739ff28be185e8b0f62e66addef28a1638a0ced3614cb2d86a7691bf32f985541cd8674644b128e135f6bf7d5258a55c1336c41

Download Submit
memory/1644-31-0x0000000069CC0000-0x000000006A377000-memory.dmp

Filesize
6.7MB

Download
memory/1644-40-0x0000000000C30000-0x000000000135E000-memory.dmp

Filesize
7.2MB

Download
memory/1644-53-0x0000000000C30000-0x000000000135E000-memory.dmp

Filesize
7.2MB

Download
memory/1844-74-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2036-59-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2604-60-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2604-61-0x0000000074A70000-0x0000000074BA4000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads