cryptbot | 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
Size

561KB
MD5

5e9712e43f7474e4b605e4aead37bde8
SHA1

fd091b56d35d223029680c2d05b229be395d4875
SHA256

152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e
SHA512

be4f79c70ad4eec73bac4e113d633d5f4b03162e22d73202a7f128fe282d5f6cdee8b919a6582bd64f249fdf5140e085e20df5da03bf6154e8b36ee4876b15db
SSDEEP

12288:MxjItJ8d0hh5bNU6IcBas4u50S3p8k3S/eIi:OjIAdC5BIdsp3p8k3S/

Score

10^/10

cryptbot discovery spyware stealer upx

Malware Config

Extracted

Family

cryptbot

basessri42.top

Attributes

payload_url
http://dfgggloadq13.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

resource	yara_rule
behavioral17/memory/2232-2-0x00000000002E0000-0x0000000000380000-memory.dmp	family_cryptbot
behavioral17/memory/2232-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral17/memory/2232-4-0x0000000000400000-0x0000000004DD7000-memory.dmp	family_cryptbot
behavioral17/memory/2232-5-0x0000000000400000-0x0000000004DD7000-memory.dmp	family_cryptbot
behavioral17/memory/2232-222-0x0000000000400000-0x0000000004DD7000-memory.dmp	family_cryptbot
behavioral17/memory/2232-223-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral17/memory/2232-1-0x0000000000400000-0x0000000004DD7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2232	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
2232	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe

C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
"C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\ZVnrdjpyWA.zip

Filesize
44KB

MD5
823d9c724183d7f44f7929813dec7d73

SHA1
a2dd0b12bfa58b33dd5fc21a0a6ac80d996ad3b7

SHA256
78013ddc9d38b6129b9fffebf585602161cdf2bd7d5fffff360515c857ea9e0c

SHA512
bd1f5d80d6550711e0038df794ff5fa60218d1e69f1c059cbfb9e220aa353f17e5010252619066537c5cbeaad89bb7f55af7e228c56f8ebd53e0370aa50e1620

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

Filesize
1KB

MD5
caed8140308f2f9b672591aa068b4a3c

SHA1
239432832f5a7adcb5a0b62c87a6a5d9ff19825b

SHA256
be9a3ae568cff174a79789c8f9c5a4b6212cf1f13172b378af57702d8492b3b9

SHA512
7c36417e70d60a68ced74867a86cd9069af9c13d5bf95f6cd596de0f6c4e61f50b999a57a50d2ca691e2811846f9f77340b74687cda6d6fb6b12234b435f8cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

Filesize
3KB

MD5
6d2e0a1b75e53207b8f414673db7deb8

SHA1
19be3d07c71d1ef51e77ecac738767b4d1101298

SHA256
bdee07fbc4a865cfb4a61d681467a36b44c56418f8a117627b676d9aec7358fc

SHA512
f7d0c5f6764698b8cbc152c1b157b760d5e58cd7844820cd5f5709b6d73b48fd26fbc093124cf8f42d6c265a6654e8a972bf7e3537dde7a95b9406d18f301028

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

Filesize
3KB

MD5
5bb5750146e910367ef481661b50c47f

SHA1
8fd675fabd66780d6e29376c993499376612fab4

SHA256
f69ded66892f3e8e6a7f042bd492b07fdb5b2b6e4716fd9711e21bea7c72bf75

SHA512
f0d63db64811c1abe54c8490b81370c9f925bdb0bf56946c11393e8daeb819de14f3e63ef1135e3f029b03cfcea864f870e1e526177528296eb1c5852e04b8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

Filesize
3KB

MD5
f994df90cee0dcb836aa1910f263ec15

SHA1
3a0b90804a5c79a952e0677c9e28a04966df3fdd

SHA256
db120ea7c45777239e76b0dd165d6676698bc2e1976523d4071760828fca1b72

SHA512
64365633b031444f9e2f214974a9c34825c656f12b96b2ff331c129b59b12dc7e8c79d7099e55742085809bf504e6678fda1b13089b128c9ad4bdd9968893738

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

Filesize
4KB

MD5
5cac59a9d3e3ac4138b3f353a2675d90

SHA1
e43c74dcd13ce81bfbf294b888bf51761c61bc3b

SHA256
81e6d3922db75a7312dff543dbfa3a9bd2b0c9666cc7c0d48e936b856f7515fd

SHA512
714a07ea41d079c000a8d4e61b219a84c35b12ebe397842d6c63429bf59e3645fde6182829ba4cfd51b7937768609afb1aa6b1fb36b47f9d1a16c1c14a0fa0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
1a97e97e8c6302d155d7197f5b74d13d

SHA1
625e6b92de999741ec3a83b77a89937b67a7b364

SHA256
c0265ac446049b2a210cfd2eb9c50d86871726c55f11d795330fe0d6fa2492b0

SHA512
e639e5668e06adbca6bb4dfe94da86b35ec8e7dfbdf99337c5d48e36b5c0f7c4e7600882899936c4b01c63d76d893a2e623f639acf0cdde614c88af3c78ad760

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt

Filesize
1KB

MD5
51f9f3112b0b8d38722d4132e532a8aa

SHA1
7901bdba976b400b8033d0a6956e4054ddf06829

SHA256
e9b13bdb1700ee35e663f9cdf950ccb30da37df756b74deda8293b67714c435f

SHA512
e090fb727775275c4e8d60e491f2dc204b48102f843f24a741a9cf17e5ab40e9c6be4ab96cf871976cc8abbb4154b6d609585faf930d699c8b7adea161210aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt

Filesize
3KB

MD5
668134af186ccb6337f0971d711df5d8

SHA1
c9121cd7abefba115908e80375304f0eac7d82d9

SHA256
e69e3c424bfd635f4e57396df509b2cd06394828cb7bd24521056c885da62b4b

SHA512
db1f727dc4ce39181b40fc99371fd5e784640ef8577cd6e77986773d3305c4bae5d36373be8c2b06fa176dbd762835dda46e024c94767dd454f4e8e6c4a9dcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt

Filesize
3KB

MD5
156db86b04635e91034410a98ae4762d

SHA1
0ee5c8a0a89cbf8ba7b4cd9039944566f217ca0b

SHA256
07ce4c37d2c65ff857039a58e50a71b5e328f3c59fcb275d97983ada6743fecc

SHA512
cb3b10692456134ea0a6156bbaf6ea9314967512b9c1fd3d59a8bdb9e136d02c4813a0a262871c313b658096b11257d789143ec974bb0170b23b177e8a8167cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt

Filesize
4KB

MD5
6979364f6fbcf39e786b59b33f725184

SHA1
fd56af67f4f0c5f40483553b7fc9ebcae35ab9a5

SHA256
45fe741cb4ba3c53d4241aba8445b2140a530bad5e64ce1bfe328789a2dbd0c3

SHA512
558a7b61040e34611874ed18d66f6ef53f643b2bd9b1cfc8ec7cb68028932640ffc7db54e5e61d099ab8625384b238b7b0487ee11bc4ef105fffc3ef1a209a91

Download Submit
memory/2232-5-0x0000000000400000-0x0000000004DD7000-memory.dmp

Filesize
73.8MB

Download
memory/2232-1-0x0000000000400000-0x0000000004DD7000-memory.dmp

Filesize
73.8MB

Download
memory/2232-4-0x0000000000400000-0x0000000004DD7000-memory.dmp

Filesize
73.8MB

Download
memory/2232-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2232-222-0x0000000000400000-0x0000000004DD7000-memory.dmp

Filesize
73.8MB

Download
memory/2232-223-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2232-2-0x00000000002E0000-0x0000000000380000-memory.dmp

Filesize
640KB

Download