cryptbot | ab5b6f41f28835258460c41d594de4c2910af1eb7bc48bee78c51b5f676a5587

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

667KB
MD5

bd71cacc925d19e97841949480825962
SHA1

69e0bd8773accf91b5374af59394749624f21bc5
SHA256

c0e25e1afb6e8457a95d10a96a7e97191821b698481f9c73cb8468e09723e15c
SHA512

ae162ec70ccb8857f30eb22aae6b7bc3b851a246ff5e0418bef96f72569497cbf4fdb0200d5d9327e67be9f8c9f1353bc1c920854412c9b33aeb86ce0882b465
SSDEEP

12288:CextvP96hExo7PTMoHbeMGpkEBuxubk6BXrwYewmBFml1ihhCJ4VLt8/nWnDEFX:CevP96hExIivkEW3WXkYdOFmPihIkt87

Score

10^/10

cryptbot discovery spyware stealer upx

Malware Config

Extracted

Family

cryptbot

eressedb12.top

morttttk11.top

Attributes

payload_url
http://dowhhad06.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3892-2-0x00000000049E0000-0x0000000004A80000-memory.dmp	family_cryptbot
behavioral2/memory/3892-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/3892-217-0x0000000000400000-0x000000000481F000-memory.dmp	family_cryptbot
behavioral2/memory/3892-220-0x00000000049E0000-0x0000000004A80000-memory.dmp	family_cryptbot
behavioral2/memory/3892-221-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3892-0-0x0000000000400000-0x000000000481F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

file.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

file.exe

pid	Process
3892	file.exe
3892	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AFzmbXqzsf2h\G7r3ZOiieXqQM.zip

Filesize
41KB

MD5
2ca4b2f5e41a7b3d3128cc6d6f944d7c

SHA1
c3c162fa2a8f5a2675a5e9ca82613474ff550741

SHA256
d83e73baec4fc8bebb17a6a5dbf6068b52c4710ee879fb021c2310f70cb08dca

SHA512
6893884c26d39445c9a593236b6e3b3408ac58fee5d6dd5fb78a2740f12ac0e2a0c21f749d61d23903f0d00ca8af32c5d5030b5838abbf11ee56c07833bcd969

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFzmbXqzsf2h\YcS5ODqT1fhD.zip

Filesize
41KB

MD5
e71275c4f4026d8ac8c4e8681348a526

SHA1
6df00d9a6f48c01ce5e2d21188c4294a71555c82

SHA256
3e337849b8e5816afd353316447f7c84c06e38303163e87eacede939cab91ef0

SHA512
eed37af8b794323f9d7ce04358efbb7330a7c72b53ce30c127102be20fdbcf93539d14c8d5364149af39cf8e2081d72dcb6b3fd7d748c533d4f8712837d434c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFzmbXqzsf2h\_Files\_Information.txt

Filesize
7KB

MD5
6396d79996c9b203e95b2a7dd49d8e2c

SHA1
6a549fdee3dd5e8514b906179754276916e28c3b

SHA256
78346241b78c3e72788c7107d73116c640c39ae11d68a23aab4a2dc7fd2ead8f

SHA512
d7b4c5a35121fc73dbad7dedabe4e51fcbb8d49bd2cac5e1ba88f4c83be0e8e8c7d39ce1d965bfb1f273603a18ba30db77fd956d7530b990d94f14e8863a16b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFzmbXqzsf2h\_Files\_Screen_Desktop.jpeg

Filesize
47KB

MD5
918588c065fa70c886e774aa1087cc2d

SHA1
e83aedb2ff7db9b8a9237c051f0c7ba6ce9a055c

SHA256
3019fd1cd714a10efd7c0721403aa0f2fb19cad64408e982997e76ce92655fd9

SHA512
2d0f3923e1a6000b1ec354b96ecc83638d7580557ba29a7ac472ec8b555cd83fc3a6831ed722118ee717e2994692ae258f020d9420f01df9b803cdf8b533f3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFzmbXqzsf2h\files_\system_info.txt

Filesize
662B

MD5
bf9a0c437c6d8fbe5bfb6bc443b4874c

SHA1
2067e9ba915a317d70c3296441e58bccb34fe6cc

SHA256
bb202073484f6649ec7211fc5a446c0f585f508167658bcc1c5bad40e09643b3

SHA512
01479ee4208787dc786d00f92a56761e86cb8a83f9a3cc07fc6b4008a5c29ebc5300c03c5405025edc883f875bdd9c9dedb9eb9cc10c932e1b16074b1b83d0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFzmbXqzsf2h\files_\system_info.txt

Filesize
4KB

MD5
358000d6a563f6ba70b27177eadf5b20

SHA1
c2ad156ab7d5d1fe7c9ad0e36e7b422d038fe8da

SHA256
f2eac41e183b1ee9256a3b0748b56dcfe4239204e43f72d5d594d1b978e72506

SHA512
29390fb0622fa4eca353998a4a13958c3f5485cb374652b72e6109d6742b8843e1feddb91ea7833600131c9150f176334b7773706ad0d12c4df7aa954bb6eb98

Download Submit
memory/3892-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3892-0-0x0000000000400000-0x000000000481F000-memory.dmp

Filesize
68.1MB

Download
memory/3892-217-0x0000000000400000-0x000000000481F000-memory.dmp

Filesize
68.1MB

Download
memory/3892-220-0x00000000049E0000-0x0000000004A80000-memory.dmp

Filesize
640KB

Download
memory/3892-221-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3892-2-0x00000000049E0000-0x0000000004A80000-memory.dmp

Filesize
640KB

Download
memory/3892-1-0x00000000048F0000-0x0000000004957000-memory.dmp

Filesize
412KB

Download