cryptbot | 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe
Size

583KB
MD5

7caf6ef7a1c22e7fc0b86eeacde90877
SHA1

1cd4567a334a9c07ba4eb6bda810523be182cf88
SHA256

0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd
SHA512

0aa4a9b3958ae519d5cf6e1e1080afbe515c009c2a18b923742bb213e892972a741d4a48190c46f992514c405e4bc0ead51501d057519e665f1a6a4ce15fe0cf
SSDEEP

12288:VynawiFoPmL0y5zWGFF6O7+d36xY+6KMKo6RUZyhj6wX6+N:VynawBPKRFEO6tuY1JBZmrX

Score

10^/10

cryptbot discovery spyware stealer upx

Malware Config

Extracted

Family

cryptbot

basessrb23.top

Attributes

payload_url
http://dfgggloadt11.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

resource	yara_rule
behavioral11/memory/1032-2-0x0000000000400000-0x00000000051B5000-memory.dmp	family_cryptbot
behavioral11/memory/1032-111-0x0000000000400000-0x00000000051B5000-memory.dmp	family_cryptbot
behavioral11/memory/1032-219-0x0000000000400000-0x00000000051B5000-memory.dmp	family_cryptbot
behavioral11/memory/1032-221-0x0000000000400000-0x00000000051B5000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral11/memory/1032-1-0x0000000000400000-0x00000000051B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1032	0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe
1032	0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe

C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe
"C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

Filesize
8KB

MD5
3c81f4967fe17a60d3fbcbd075449acd

SHA1
e5791f78ec603b258d1b17864474a99efd3c64c6

SHA256
16dbf784f691381515871ca443c821e00c3f969cbf55690d9f4cc3bd2160a805

SHA512
21d85aa5a0000470a8bc81343fb4b3488ccc2f6a62e6415f9f65850304b94779ccd9267d73c582fec00e58ca824bace7ee67d7833819c7df7c929917975a9d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg

Filesize
46KB

MD5
0ef4cde8862b5c23f8c1e0a14c362d08

SHA1
9904baef689e5d27f0d4e1aeff5e1b8cc6d1a656

SHA256
b061ebe8ff240f3bbde80d1b3ebeb0ef891be61a2c6a3cf49a3da04dd964050f

SHA512
01d39e31f7c96b5adc2486d076308d37541aabc08f29158800476a6e51737fdc53f4596cf58113e8690bee63a77a597d5316ed89b11d79bbdf51c6ee34d52591

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip

Filesize
39KB

MD5
09c6f936b2f4c6c423cb6ddc96885fa2

SHA1
0a290165c493ca398e5b7be7f850ca98ea966c98

SHA256
9074a7bf5d33243e6db0bf9decce39a84842123c7b3b386455f050ca35cb1930

SHA512
553edb8e3f257b878431f3c0c892bbdd288021f335ecd6b59c71a43baefa1301a263034a38f2b521ec8b16cec43432f69f3752030cf02210e125a03e7e2bf52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

Filesize
8KB

MD5
996205af5187ae51df2c89d5e78e5f3d

SHA1
1786978860f407adb48a30fc973fbc7210f19060

SHA256
ce687913e7ef01efeea0927fa051e2508dcea54d3e93a42c02ae9bf56b4163ae

SHA512
9bacfb28693c23631a8edde772fdc39a4dc52324e99bf4c003f1ee0476a3e82cda820e3bde5de9b8e3c0c015805354db1eaa57a21321110c4e7210b27f02c43f

Download Submit
memory/1032-1-0x0000000000400000-0x00000000051B5000-memory.dmp

Filesize
77.7MB

Download
memory/1032-2-0x0000000000400000-0x00000000051B5000-memory.dmp

Filesize
77.7MB

Download
memory/1032-111-0x0000000000400000-0x00000000051B5000-memory.dmp

Filesize
77.7MB

Download
memory/1032-219-0x0000000000400000-0x00000000051B5000-memory.dmp

Filesize
77.7MB

Download
memory/1032-221-0x0000000000400000-0x00000000051B5000-memory.dmp

Filesize
77.7MB

Download