cryptbot | b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe
Size

2.7MB
MD5

331dcdc60c30bfb0e6caf4d5a2b13af0
SHA1

8791349b229c91fa0899cd0f669a9cc533aa4105
SHA256

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446
SHA512

c5408605dd1fdb1f34c64eb31ef0d86685c75ddca02f78bcb762c6c799885652b3d091133fca0b0e890b3f9d0a325621d82c75cdc6c35f48bc404be109ed12e9
SSDEEP

49152:P9eUwdL4wRqh7YqAVpymthcNRhuvo5NMAN7q4HmfT5RhJRr0UUK81Ezw6HdPd5is:85zgSt+svYNMAN7jOhJRDrwIdb

Score

10^/10

cryptbot credential_access discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

oct3m.top

oct3e.top

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3528-0-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-3-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-2-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-4-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-5-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-6-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-117-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-118-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-123-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-127-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-130-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-133-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-135-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-138-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-142-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-145-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-148-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida
behavioral2/memory/3528-151-0x0000000000CB0000-0x00000000013AE000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

pid process

3528 b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

pid	process
3528	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe
3528	b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe

C:\Users\Admin\AppData\Local\Temp\b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe
"C:\Users\Admin\AppData\Local\Temp\b87ca65199e6eba3ee9185945cbd8ee3591c15c67ad24a6a1e9a0fe98be60446.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WbPhZFuoeV\DPgewvBwMv.zip

Filesize
45KB

MD5
cd65c2dc2835c1e6a6f95692c8cdd68e

SHA1
7af5ee5e558a7b6a5f700d1909aa5e620d5c494a

SHA256
347358db96eb60cca6c6770ffc60203e4f3c9710d08b2a9e4950c60eae4b4a77

SHA512
b053eb2d8fab70c4f4541c1b7ec4a3c07c61f7743ddade6f4d6652331196ac8c095176fa044096ef6e234b6a34b77d1b55ae17b485265d5469b8141be5d8f956

Download Submit
C:\Users\Admin\AppData\Local\Temp\WbPhZFuoeV\_Files\_Information.txt

Filesize
7KB

MD5
a3aa8e622ab34843d4458cee78d7399a

SHA1
250635e7a38c00b97322026bb82b0c3431a14ee9

SHA256
99066ff497f29594e7e8b188d1af49e034af4c4425b5449b8fd93484d25cc826

SHA512
b979a38a2045881a0c80792fb21047036f7a9d3baec4ca1da057c0ae7785fd382b05cbc2183d800a16a2875b3443d895b801fc5bf19ab196e5999bf34a2b5fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WbPhZFuoeV\_Files\_Screen_Desktop.jpeg

Filesize
50KB

MD5
536bcc351b6321fc570492d8090ce07a

SHA1
c362b2274c69243bbf7fa56e4b9d8ff7b8264a1e

SHA256
6f56a237ab32fd7919a57657c581eec1fee5722a16bfc5a18db81dabc3384e48

SHA512
1894d20bae357005531cc3216d78cd872f74c2d4e7a3fa33c6352a7d1ac5a998e163570e975e97f77c0824f33d9b923f48ff36af5ee49195192c1e45d1b3ab74

Download Submit
memory/3528-118-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-1-0x0000000077B14000-0x0000000077B16000-memory.dmp

Filesize
8KB

Download
memory/3528-5-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-6-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-2-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-3-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-117-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-0-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-123-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-4-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-127-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-130-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-133-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-135-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-138-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-142-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-145-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-148-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download
memory/3528-151-0x0000000000CB0000-0x00000000013AE000-memory.dmp

Filesize
7.0MB

Download