cryptbot | 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
Size

529KB
MD5

87ffa76ae480b1845120f7fbebe5f331
SHA1

27d0003fa504b69e89e4fe6bd9972d0924cbfd14
SHA256

18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a
SHA512

c19f13f5885fe5df81faaf765670058a14824f90b4d81ec5797cf6d4607ae11e4f7ee905ed3d1f7c2ecaae95d447929fe61f2b429308fdf0a95621351ddf3964
SSDEEP

12288:D69HG69f5XZgJBnvqxRbTtJhzqbFnoeZX/b9uXnTxZ:DUHGQf5iVva9tWbFnoeZPJuXnT

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

Attributes

payload_url
http://serfrloadg02.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral20/memory/3140-2-0x00000000007B0000-0x0000000000850000-memory.dmp	family_cryptbot
behavioral20/memory/3140-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral20/memory/3140-225-0x00000000007B0000-0x0000000000850000-memory.dmp	family_cryptbot
behavioral20/memory/3140-224-0x0000000000400000-0x000000000052F000-memory.dmp	family_cryptbot
behavioral20/memory/3140-226-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3140	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
3140	18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
"C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\LaZuGlRq.zip

Filesize
505KB

MD5
22b3b5ba3d06c347e128e8e231db66ff

SHA1
c87b20261cb0852c52c061caebd6e49d31e2c6c3

SHA256
e958945142fedafaeb6e46bb49a5d48153fb103d19b8b2be147750f254ae2793

SHA512
48a4402c87273ad6f2673745b67ea124f7a4ba24d72b9e8c4f77eabb76df93574353cdfae3f03b329e518164dec906d7a7bea61052cd9516955d8ccb2aab66ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Files\CompressWait.txt

Filesize
459KB

MD5
09f79ca4b3356d9c5c4589bde59ca492

SHA1
6502ecf4baac9259cd2cca6cb46289f0d8bb3f16

SHA256
6445e7509d43af45301f7c11821c4c4e44399111e51e532fb2ed690de95df4ce

SHA512
4f0ba86d6ce417700b1cd1e886da6d197eca9755a152e1a8b0d764dde020f678c7efecef722d00c1b2ae6f5a563fc6392aa328d981631467dd1148a46ed27dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Information.txt

Filesize
7KB

MD5
608bfa1d367daf50d0cec2d64e9962f2

SHA1
a0362210804130a0f1fdbd725796adf0e270beff

SHA256
0f48e960b2f1fa7c749cf1c29515393bd2659efdb4542794bc4a6a37a96cb471

SHA512
a1b96371ea83be0d748a89d300d2cee0416cd6dec0e71c220feb33b3c06e6e5dc73c9cd10d1e04bcb9bbb3c134bd761da6fa01e3e2e50027898cbceee421222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
dedcde8de4b6b64bd0f5e371ff3c083b

SHA1
87e7d0839cfc9b33640c1732a576a78ac1e94a92

SHA256
f13bd39c581362fcd9eaaf978c1527f535e38d5d4ea39ceb7ce4df92a643508c

SHA512
7e6771f1bbdb382570936b851b682dc726f9d37670b45453f2420db60e170706e0a563a6ce91f5a4bd39f37dba8a297e0396c21f0feb3c95e67ce02828c7a366

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\files_\system_info.txt

Filesize
2KB

MD5
233bc14eaba21d80927a9b552266d3f4

SHA1
ab06c097f3596ae91022117cb0befa854af1bcb8

SHA256
00c338995131db9eea9c087097189de439aee2487d7e981821b7c75e931b53f0

SHA512
ca9c272c7d80ca997dba82f25002cb13e039cc1a58369bbe5748a1a8206ea497fa287cd77447845d308e41a07c605808c1895efd00a172b9668b68782fac1208

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\files_\system_info.txt

Filesize
4KB

MD5
02cf311a5e273802dc6878211d2b8dd5

SHA1
4c54ad41bdcda47a3f597a013f478241bbe81fc5

SHA256
c284e51dc73f37280c6849304e27398b8623c54fe85da9c51352e86848d3df56

SHA512
04baddb9eed7658f16910e8366cc2a32c470a749b6a97f2fa01613bbdc95e880adedcabdbf21b5c7d65c05c772830424caedcabd30fa19a690bb5794648f54b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\p68ah4m5Lye.zip

Filesize
505KB

MD5
3e8c022d6bb37a47220d18c3dffec48d

SHA1
575a45d5b782a262e15a3d1c2ea6d1cb05c69c45

SHA256
9efb7f4bbc787b03b9a2b019d3d125a5f7545e5ebe350f4dd372728955c45241

SHA512
5ba0714f943cb59d451f2a839bbd64172296216c5aea89d19cc16e4ff2fd7d12e728d5e452f438984279ed071cd7b7d7cf9b3416491086d9b7a888c8d1cc3b3b

Download Submit
memory/3140-2-0x00000000007B0000-0x0000000000850000-memory.dmp

Filesize
640KB

Download
memory/3140-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3140-222-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/3140-225-0x00000000007B0000-0x0000000000850000-memory.dmp

Filesize
640KB

Download
memory/3140-224-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/3140-226-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3140-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download