cryptbot | 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
Size

561KB
MD5

5e9712e43f7474e4b605e4aead37bde8
SHA1

fd091b56d35d223029680c2d05b229be395d4875
SHA256

152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e
SHA512

be4f79c70ad4eec73bac4e113d633d5f4b03162e22d73202a7f128fe282d5f6cdee8b919a6582bd64f249fdf5140e085e20df5da03bf6154e8b36ee4876b15db
SSDEEP

12288:MxjItJ8d0hh5bNU6IcBas4u50S3p8k3S/eIi:OjIAdC5BIdsp3p8k3S/

Score

10^/10

cryptbot discovery spyware stealer upx

Malware Config

Extracted

Family

cryptbot

basessri42.top

Attributes

payload_url
http://dfgggloadq13.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral18/memory/2904-2-0x00000000050A0000-0x0000000005140000-memory.dmp	family_cryptbot
behavioral18/memory/2904-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral18/memory/2904-4-0x0000000000400000-0x0000000004DD7000-memory.dmp	family_cryptbot
behavioral18/memory/2904-218-0x0000000000400000-0x0000000004DD7000-memory.dmp	family_cryptbot
behavioral18/memory/2904-221-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/memory/2904-1-0x0000000000400000-0x0000000004DD7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2904	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
2904	152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe

C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
"C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

Filesize
1KB

MD5
4f34cd42994b5c03d5f7f5fa024cc9fb

SHA1
ef482103e1b02784d0d55d8f8f957ded0617577c

SHA256
fd6fb484aa07a17c64f2edf023d3256aaaa79051adb141f509188f492a14fa61

SHA512
68055bf6c1b2689ada13297ae7dbf9beb5cb41e357b0d50563d7e3750bb1bedbf5fb344d3ab2e06f2ff727050cadba24aa4b5b549f4c5c41ce4dc9754a68b24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

Filesize
4KB

MD5
b144cc96952701c0dddfdd49dde7fbfc

SHA1
183002c04e262e0386550420952d0191ac47d51a

SHA256
03b58903a31f9781d2b10a7df019af3d099078df20e1ad6dbb610d8bfbbcaee4

SHA512
3d1fc5188bffd5116e9ddff2902a451b49d8a8ed211c03d32a5d3161f931e0b4a26bcf0f9072d772769e750fae1479976e003e49f86ecf6459962503503a1a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg

Filesize
47KB

MD5
2da7eae9db1b714813c23bafdfa8ebc2

SHA1
ad43e12a09359193120d52b4c4baf981265c431c

SHA256
fbbbdc8603f484f4c2dea195c961c3e41ef1da404201c56251d540010999c760

SHA512
ce93e1bc00cd9c0e6392ce90cb7b50f66dd84a593f70fe37758b672fda56648a132ede3befe5867a71afbae96e518fec129c10fca54003c33841fa9ac4a5e349

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip

Filesize
42KB

MD5
dcf742f59f682b0a887d35c096b0dda8

SHA1
23e414f9a246d0753d19a76bb6a70a20b89155f0

SHA256
fdb53e98c405c6ba32105fe63b3b03e2991a4d85bb344a55876af105306c1c3f

SHA512
6f02bae33b61d15f4241e7162ab7bf4a64710657d3d62c603e286aa6468884faf7e13ec6c813021ba18a9ba05dea602b1f2b3a7c587722ee118cb29c7b7b8620

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

Filesize
1KB

MD5
0b7047eae4da8d0e423f359d4dab4d1d

SHA1
27d5feeb1fe3418046a3ad85b0b03fcaa24b9043

SHA256
553a539fbac287e44cc689f05b38101384ffaf260bd8f431782bcec1f4a46fa9

SHA512
16f2e7921b9cd7880546832118219e9e3d2de8ea5c44d8b750e8c4184a754355407206f47d80f3464ba0ca9753bd9c1fbd460828c13ae8cc29aa6773b3618993

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

Filesize
5KB

MD5
200ce97704f46bb88798b680df10a826

SHA1
75276cc13ffed8d1e99fa4a094773234f886b84d

SHA256
d56b9aab4961a26ec243e0d0409f00b7f1606896c39e14bea3da55619b7a9417

SHA512
b34a0ffc2cbe152526560d3d53a84d71fbce6eaa7dfd041b7d3021670213c99196ea1463813cec14d327d2bf16cc2978fe6d0e180c7ad21f60afbc4c09410f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\jVtKZ23rKJi6.zip

Filesize
42KB

MD5
dbd391e36a6c60c1d1359bdb56bbb327

SHA1
0faef71e451f94d61fff0d6952a96606b3f4ec75

SHA256
a3187ca57bb20442691aef856c86c1c9a70e6ff3e20970f0a751ef4aaa5caeb4

SHA512
0cad32ac080ba6655beca58371658addb22520035d87f521c9b6186ac7a4fa0cf957bd5d3a1820ebd307a1523bdc38a7220035ab80aede090c50673381813431

Download Submit
memory/2904-4-0x0000000000400000-0x0000000004DD7000-memory.dmp

Filesize
73.8MB

Download
memory/2904-1-0x0000000000400000-0x0000000004DD7000-memory.dmp

Filesize
73.8MB

Download
memory/2904-218-0x0000000000400000-0x0000000004DD7000-memory.dmp

Filesize
73.8MB

Download
memory/2904-221-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2904-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2904-2-0x00000000050A0000-0x0000000005140000-memory.dmp

Filesize
640KB

Download