cryptbot | 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/11/2024, 06:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
Size

529KB
MD5

87ffa76ae480b1845120f7fbebe5f331
SHA1

27d0003fa504b69e89e4fe6bd9972d0924cbfd14
SHA256

18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a
SHA512

c19f13f5885fe5df81faaf765670058a14824f90b4d81ec5797cf6d4607ae11e4f7ee905ed3d1f7c2ecaae95d447929fe61f2b429308fdf0a95621351ddf3964
SSDEEP

12288:D69HG69f5XZgJBnvqxRbTtJhzqbFnoeZX/b9uXnTxZ:DUHGQf5iVva9tWbFnoeZPJuXnT

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

Attributes

payload_url
http://serfrloadg02.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

resource	yara_rule
behavioral19/memory/2384-2-0x0000000000330000-0x00000000003D0000-memory.dmp	family_cryptbot
behavioral19/memory/2384-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral19/memory/2384-4-0x0000000000400000-0x000000000052F000-memory.dmp	family_cryptbot
behavioral19/memory/2384-222-0x0000000000400000-0x000000000052F000-memory.dmp	family_cryptbot
behavioral19/memory/2384-223-0x0000000000330000-0x00000000003D0000-memory.dmp	family_cryptbot
behavioral19/memory/2384-224-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2384	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
2384	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
"C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2384

Network

DNS

needioerw02.top

18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

Remote address:

8.8.8.8:53

Request

needioerw02.top

IN A

Response

No results found

8.8.8.8:53

needioerw02.top

dns

18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

61 B
131 B
1
1

DNS Request

needioerw02.top

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\PqzgshgUs0Zbbb.zip

Filesize
46KB

MD5
01ad1027365ec4287b2c94507e1d356d

SHA1
17f9011712436049a8bf335236a3f526c0ded702

SHA256
b710a091cd3aa96d96f21d2d8bbbafb1afc3fc73d057ffdf52d6da20098289d6

SHA512
c548b83331449e4cb84a5bf123432cfa81267c8a344f10c6637fa504dd84570bc116f9fe4721e9df8e8080b3e0130cf28c31f57f19c0bc2f7103b871418e0b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

Filesize
1KB

MD5
18d99c15a942305d365644b7096536bf

SHA1
ebfc71778058be4f2a9cf830bf508e5caa5276e6

SHA256
babba0c95aca5d8db0dd7268e0b3cb64e1741b863bef12af2c629a66c747dcf9

SHA512
51b91bfc3e2204c98455d6f6c0ec3b02e4d82e2132ec76816001258c693b9b7345d38768e40aa2961fb966d7581f5cb7eecdbf29e6b71800b6a20bc710553484

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

Filesize
1KB

MD5
6a7f92aeee653fef9b57efcfd7d6858a

SHA1
8c5d9ce1fb39e28b45955947c8653a968289df23

SHA256
cdd3624b078791b5f7a5fc641321e00e0b0e73eb0e75affbda4b36a3291e9ebd

SHA512
285388ebbe319f57435aa5af3dc43a6e2dcb32da20f0a689dcdd5369ef8c1d02814fa387f7c4127d1470fcf194571565527927295034741bbd0917a1338c4257

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

Filesize
3KB

MD5
52f7b2b35a69df44f087f4bec9279ade

SHA1
84f4b4c4309e72056a245e6c317cf8d26534de79

SHA256
fda44806b4a767c04fd6e19ea21b745903cddec70a1d2c4ecf780cadd19d30d4

SHA512
eb4dfeeebc256a34e1a03da6f701ec62400e6a4883504ac8d6d7dcc377dc16b364bbf0339c03b594234d93129aa4c8a887fb8e9698c71db651db9bffaa9267be

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

Filesize
3KB

MD5
2c2243754b6e094e555171cfa7f8c182

SHA1
9a8318129aa5c6020f1bf0b5e9632836ad794c65

SHA256
6c8683f31246753b7fdc8986d310ac21d94c0f5bbb3051952e407e28d5411d0c

SHA512
621a4315447504e81f9f85a6db1e1d06b0f9efb9922b3fdb1b4b1638192c55bcda69593e2e345b44fabcff6853eeab7ec0b6c2878e9e8ea7437b75c3e5d630f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

Filesize
3KB

MD5
ce90c1a56f2070dcd505a86ed389f362

SHA1
f6dcdf514e27622b69a1fe445253caa234c92eea

SHA256
050651927e053313415d7a597395ac5257f67aefed671b770a08a2d0cc5a3300

SHA512
39b213a1147542521c446a2b30e2db901552251363d92abe4e5bac096b1667ce4a08b8a273f1ef20d5e82dd566252406deb4c4417e782b1fde10ee35c5d59a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

Filesize
4KB

MD5
8ba855105258074ed53d37236e71e883

SHA1
61f14eec58833f1016ec1a1218222cac3227af70

SHA256
2ee72b1afab3e45e17fb608f710a0140727cceafe267d5c086cd4d1434337594

SHA512
9ecb2c4203bb621699fb63c2047e50c67ae62a6fb3010c65f6f490a8ffce7711734498d318439fc693df9c585958a99303e82c4eae268a6692617d2fa3578bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Screen_Desktop.jpeg

Filesize
52KB

MD5
5c500e7454fa77bc4021366d532c3b5b

SHA1
b6980902d5a3044826ae81da60aaf552f4323744

SHA256
45d0a65f4d9327beaa0fadbb94c0dae496ac04c4bab9bddc36f32b6025037054

SHA512
3f2f633969153a63ba6b45e08fc0f22c0cdea72207236817db8c23f05b9094b5de081f0b8c2336b63d782c339b1cc01ec9dfe82b79bff3b6540ba274ede3c222

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt

Filesize
1KB

MD5
819d03116b40b99128f06c426d3bb70f

SHA1
900259dfd7610bc922fc1e4e83fa4a0e61f6782d

SHA256
7d7e30282273bec84b7c9c07916ac27b42b42b43a3701137ef310dfd3b20eda4

SHA512
4024467b131b0fb66355ad1019d14f79616b34fe2d5cfc843d7153dc8743910779ab5d0ce1cffe69dad8f387ad1455d041c467c59db29bdc21c63b813fabb916

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt

Filesize
3KB

MD5
d6fe7c3262bc630bbd8def3b8e0486ef

SHA1
4b88227042b397c5636dcc0b32ea90555000e709

SHA256
f090c2d2c12f41aab3ba1f5d50d7e3699f20ca8305f405caa4c1d73fdc36cc10

SHA512
5338a2823df94d5b521ae93d35879c910629fbdfaa216839e507a010744799b0b3727c47228573fe691b71f778cd0cba0c4b6ef9f6b00fd46f8581d4fa644d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt

Filesize
5KB

MD5
01701dad40619754872284517acb82ac

SHA1
b63c004eeb258a9a9f57f542493a6d6afa625e74

SHA256
274d677e8c2afe4f8048d93a6357abc09752848c68fcab096cba3f79a3d16b34

SHA512
46ab290186d22fdbcb7d162ac698060e1401f7fd11963b9cf715d3f062e193454433cb98a98888ca139f5f8001db18c6f801a793950acde1f588f8ca30b5284a

Download Submit
memory/2384-1-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2384-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2384-4-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2384-221-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2384-222-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2384-223-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download
memory/2384-224-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2384-2-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download