cryptbot | 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
Size

529KB
MD5

ce045f72641a7162117870dc35eb3dc2
SHA1

2d7e768407b6a2ba6aa6f5af302af5b391c1d0c6
SHA256

26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f
SHA512

794a818ce5a0475e319c731e0162cf22d51b363a3050c6aa6828566b0d7b4c82efc1de9b680168da65e0c39de5c804a1797223c82c1b025359a166051700cbb8
SSDEEP

12288:oTGv68hozTgVcyWRujnvqdnH6vck7XZ20/OwDogA:o6v68hMTgaHuUH6US20mw8g

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

Attributes

payload_url
http://serfrloadg02.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

resource	yara_rule
behavioral29/memory/2836-2-0x00000000002A0000-0x0000000000340000-memory.dmp	family_cryptbot
behavioral29/memory/2836-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral29/memory/2836-4-0x0000000000400000-0x000000000052F000-memory.dmp	family_cryptbot
behavioral29/memory/2836-227-0x00000000002A0000-0x0000000000340000-memory.dmp	family_cryptbot
behavioral29/memory/2836-229-0x0000000000400000-0x000000000052F000-memory.dmp	family_cryptbot
behavioral29/memory/2836-230-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2836	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
2836	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe

C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
"C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\WSOGWnVpPzqm8.zip

Filesize
539KB

MD5
6b2523baa3c207084c14454eb7fd77cd

SHA1
7d5bdddb2494f925468e290370cbef223bddb457

SHA256
a4cdbdea81b10d5e58de218897f46c3373beb5527d7f41f273269e20cc83e73c

SHA512
ae3e06cf382e8ecbe5f2c9c4e53a31d2083b4b5b55084a37db841dcbbb93ef62b0fcbf5133518728da59b5ccdef32f3cd74c40ae2972d7038f8c66b8971af5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Files\StartStop.txt

Filesize
501KB

MD5
a52ef8b9bb0e5d26e6bf28c613d71be0

SHA1
c774360d6d70a984690d118292d58c389014067e

SHA256
de694b9cdae4aff1cb799ecda251028bffdfd8d86e6c315fe7ed4b9fd5462dac

SHA512
417ceb9b9455ee020a8b0703acc42babd753de67e3efe72e9771f7c5e3286e177cdbdc0dc997b59b6931f6b9fda3ac476de4cbd487ba9b104b3853d92e4e7172

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

Filesize
1KB

MD5
8a0bd3f407b01943d0b9bf720955f801

SHA1
5665f3000a5671d4834eaf99ef640cb9041d0dd4

SHA256
4f14f0083550c0d86971df9b249903ece5f36d864f051778fa5779a0b81956c7

SHA512
2181548dab06b14402c49e710e7507d4a70a5d433b0f03e9649b3be886e070bdc3499e80977128e7c9d451f729a503ebd1f6d5b7a5673d53a22ab3e1bf8d6afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

Filesize
3KB

MD5
35a54761c51414e7bd44a9cfef652314

SHA1
0472649f4e39fc6aef4c827e7817487ce83bb07d

SHA256
1f66cde9fdba552ea269b4b2f35606c869cafe42265b10e0ac664454f55120a0

SHA512
b9f06a1d74904e3eb8dd2693854cd2d154b20a0cc25fb23005b7fd9dc56d21efb13bf2658a80f72a584679d99d4362ed9d265da69e8bdf6dc59ecac3f9868744

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

Filesize
3KB

MD5
60f47cfc21b618e2c3a9d1318ffeccba

SHA1
138b7cb74074744c9031dea1b6e6bc632b63e927

SHA256
a4d67dccd4dd521d34b0594045353ff9bbd2c269dd0c1a9ef6d8c809a59b7c57

SHA512
a04fce8b707d3aed0c04f244549ff44c4c7aa54a7ad7dca45123a4b77ba49b06f451a7ab43c61ffd5f46ef9a386db26a9f9190bc792bafb9c1eaf0cd8e4126ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

Filesize
4KB

MD5
ce5a4c5df65981c9a15e2d4c17fc07fe

SHA1
7da68f3ac02a64d93e84a2fa91a4c87e5b72d860

SHA256
a7746c25510d8568b98b27ada2a91a40ea1a0ff67f2f71d381e46a89d6c0ae3f

SHA512
415f80f1ae5171b5baeed29c02acebea328271e0d284d9241f7d3f5c73fb97a2689d3622fd3872240e304ad13c9ec160741051185e94a910ffc21939c1356373

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Screen_Desktop.jpeg

Filesize
45KB

MD5
76d73e8b0bad36d3e16be99d718d9add

SHA1
e2ca0149da16ab57f19180c5e22085540798f57a

SHA256
15c579422d25b762e354fdfcd59dc8570cd34c8a6143c308bb86239765840c1b

SHA512
630e5dd1231f0a3a788f43f5407497f6103158d111aa2ffd01b3b4f7ed539ef9676cafaee7d38f3f2f4096b88e6fde927fd282094efa27c7970bf786d90ccf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

Filesize
780B

MD5
c0d24ed3c41cee29c39d85cfe2f98576

SHA1
ac7b9e4d5b920f4882bf9970e204fe9f1619c6ee

SHA256
8edd794f8ece18de9eeddc54ab0e430444dab0bfc033d39fdd1b1ac5d3f49520

SHA512
165766bc12061bfc879f46ba71396f7fe6f5ed5c7afc5441431d8b0091c0fd30ba33817ea4e7db3e957b8c18d9469f02f298433da873ba07a827ae330b42407c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

Filesize
1KB

MD5
7a3e9706e104b280edf5d44ffdb7b285

SHA1
00aa2221725fca2ba10df19f60301e0f77e2f86b

SHA256
bd2d2aa86925f3f5eb86018749b7425944e48cdf53a36b1d34ddf6f3a4537513

SHA512
b27f1e1d0a9cedcd70d7d1edd91066d8bec993610656745379b5744def4be199f44c1052dc4d0d1f383627a03a35b4c01fddd66c475de8c522e7f2bed7c4be68

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

Filesize
1KB

MD5
c757c241dd18874002c79c291ebda34c

SHA1
82f8078b2e3d6bd611fc889d426328ccf267db22

SHA256
19fd8dedcd7fb7fc45a33bb04df161cd3bb3966c92fa9bc35bc53546eca6d589

SHA512
cd757c721376f25d930898bd04c8c421647a503bd9aaa86d0668980a27ccb05a2d221fce0f4bae4792109286eb3a89e318c14a8b9ef22a2d6c28433cdf6caf71

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

Filesize
3KB

MD5
e0fe3d2fe4a02850297db83e5d8cab49

SHA1
611000e76a4f14361d25b99e9265cb8226db40f7

SHA256
fba88425f8d494ce7b2c1dbc36c44d6a19b109f8ca891a583e44b5f54191cec9

SHA512
3bb34dfd4f5e33b86fd971a56fc4073ebdd19de59916b122ad336485d06d228cbe270628db69eab2d0a947f224c53525766127b974e31f69b940d836bea48e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

Filesize
4KB

MD5
68c9dfcfcf1e77949f59df3d16d351a2

SHA1
5246cd4200ff22da288473b84d28deaf8524f31c

SHA256
a523cb37dfb619ea7b524600fcfd6417b70c39d5e44045a035104aa1a3d0ad36

SHA512
4a39dd4c8538cfa1602e683abe5400e1b3d2fb33009eda8e4b09b7047477f3e437372155934d840ffe6d3bed0ebcbbcf71e9d65473cb2cc3a60d82b1246c580f

Download Submit
memory/2836-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2836-4-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2836-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-226-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2836-227-0x00000000002A0000-0x0000000000340000-memory.dmp

Filesize
640KB

Download
memory/2836-229-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2836-230-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-2-0x00000000002A0000-0x0000000000340000-memory.dmp

Filesize
640KB

Download