cryptbot | 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
Size

529KB
MD5

ce045f72641a7162117870dc35eb3dc2
SHA1

2d7e768407b6a2ba6aa6f5af302af5b391c1d0c6
SHA256

26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f
SHA512

794a818ce5a0475e319c731e0162cf22d51b363a3050c6aa6828566b0d7b4c82efc1de9b680168da65e0c39de5c804a1797223c82c1b025359a166051700cbb8
SSDEEP

12288:oTGv68hozTgVcyWRujnvqdnH6vck7XZ20/OwDogA:o6v68hMTgaHuUH6US20mw8g

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

Attributes

payload_url
http://serfrloadg02.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral30/memory/3928-2-0x0000000000700000-0x00000000007A0000-memory.dmp	family_cryptbot
behavioral30/memory/3928-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral30/memory/3928-220-0x0000000000700000-0x00000000007A0000-memory.dmp	family_cryptbot
behavioral30/memory/3928-219-0x0000000000400000-0x000000000052F000-memory.dmp	family_cryptbot
behavioral30/memory/3928-221-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3928	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
3928	26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe

C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
"C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\WSOGWnVpPzqm8.zip

Filesize
41KB

MD5
2c404be853aaac1d5801afbcb3f3a40c

SHA1
3cc9120a8663c88db7c1a7e6832ba207f9cdbd53

SHA256
921c3a26b170704f63cd9886ac375bc5e510115affff30c56f0b1d6a5a1f490d

SHA512
73ac68cfc11b6457b97538909c1a7662ad3a4acbaa24512a09072a2a6241d40f80c347b2b4abebfb8867e0ea402b76fd931a93769b51fb12319cd4e244e68c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

Filesize
1KB

MD5
c59e1b3113d29dae2ebeaf0ea220f4dd

SHA1
f52a2ec0f609336fa92a5c58f27f782c67a92454

SHA256
354de3e8c5094857296ee101377549d39fd7e7c7ecf8eca7520542bc9bae0ee0

SHA512
5006d36062437ae7c3349003b3316b46691dab4a16630b1ff656b3f9e972c113434a705d82610b3ea6c88ca3a6e69c3878d56fa53cf69358134e703aabd05105

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

Filesize
3KB

MD5
482908618347c2f83da7874504176f04

SHA1
948fe7455823cf94033a408f2040e7b4c5c1876d

SHA256
cf3515f50c5a4cff8f11f28dd64e813d9cb6f15a6fc5c98a9578a6307a76f26f

SHA512
dd984529262e80aaa0550b01392944d7e30d2ee058fcf784b27a298a494660b0235734a2f27a99573b8e66b368b5282a0f5273a693aac52318829aad1bc021db

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

Filesize
3KB

MD5
c27b0ade13757dfe48569ecbca483e9f

SHA1
c658d8e0a24e7d6390ab85ff7bddf8efdef31e95

SHA256
7b7e410cb85ceaaeb645eec67989a6d386e8db8141de0321795399647b075bcf

SHA512
9b1f8c30a94f97f1e3fdf86ebdeed2c89ac78aef14f853e755935e1f51ec80cd7bdd0ddf8fe21bb6dda0fb0e6d168e5cec807967ae137b189d42b11278eb92a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

Filesize
4KB

MD5
39e2452945540549ccdf189ce19da20c

SHA1
63a1ef8d0e49e974427ab6dd6d27517df3ccc59f

SHA256
d1e8a5c38151f883ee6d92824ea8fdd3b4c62a91077fa8a154d59120fe3cc693

SHA512
793e7fba4461fded76fe1dc4c4d18b465fbaa34c7ab9fee4cd5c78c93a1ede81381f5c610cdb6ba13c0acf648a7a60d81c3dbb3ee7dcfb64018c5731d5b63553

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Screen_Desktop.jpeg

Filesize
47KB

MD5
f41db03dfc0a0d09ad72444b0cbbfaf5

SHA1
7185fe78cb4b1424bddb53b3e20c015c2dd8371d

SHA256
0c0933fe3ee28bcca614d693515fc4e44cf057fba74a131efb03980c83dd39de

SHA512
d5507f29b0a869642c17dd730571473560164280695f2e31688b8986a9e278a7e6247fb9dda7528c80954373659b0e472987ef17b6c67dab37b661285a6ed0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

Filesize
2KB

MD5
deef5e8804faefcf411d53190fa09e98

SHA1
45229ec8f2fa59f7cf2a533a2cf8b76cfaffc3f5

SHA256
d1082c2cf7a84d3c05678485fa141a5b46046988fcc69f2e2e2a4cda18d45634

SHA512
c83208ccdcaf1f8915ba04ea4d297483204005bf4c760fb3e07f184af524a1c039fb9cd5910d82357419517a46f02128d387128dda436e2e1064f257e31f823e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

Filesize
7KB

MD5
a1bb22ba3fca7b9a8ba5f437ab57c2fc

SHA1
adaf3df9ba683445f8570e9a8864e5be61dbfbd5

SHA256
240cb0c84da8ab1ffa9b4c8d8fff80f739f295082b008faac463e5dc8549b874

SHA512
f4514a63a5112d668de20b7a13a114b9d8f88111a681bd4699d3b814920fc2ba75511010826e793997c860354f05d299ceb4f2bc9f1fd63f1ecf817e610480a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\nPbiXXTb.zip

Filesize
41KB

MD5
55d5602d16e32e6457b2edd4cc6e2beb

SHA1
6d65ec99ffbf01c5179e3385532d08dcec367134

SHA256
f8496a84c8af2941b99a7aa0129aff461bb3e1fad370a47c77a575824e0d11f6

SHA512
bc9441fc60751b0fbeeff5223470653e16911c0ffbb7d087ea380823eca5784ac57182528596800399e80be5fb2f035f405d57bc2990ab790cebfac0c7b5cb73

Download Submit
memory/3928-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/3928-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3928-218-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/3928-220-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download
memory/3928-219-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/3928-221-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3928-2-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download