cryptbot | fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820

General

Target

fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe
Size

347KB
MD5

ca5faa77d0bc3a6e946b0b225aef3cb2
SHA1

f604e5b34395b7bbacb23ad6de49b396ad43e4d0
SHA256

fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820
SHA512

8e4146fdcdc681640901100b363e94e1133e11ee2975509d5dfd443f49c0a9d2ab65ed10aad5358c139dbfc0cff7db9a4f2d2edc9ee37cb50bf1677f39231c36
SSDEEP

6144:ZLNfr9ti3Q7FnY3gH+X+0qH77kliXQIxZetZvuyLEHyglIADG8elA:Zhfrbi3Qt+WKBk7giXQfaXxDv

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

veoalm42.top

moruhx04.top

Attributes

payload_url
http://tynjua14.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe

C:\Users\Admin\AppData\Local\Temp\fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe
"C:\Users\Admin\AppData\Local\Temp\fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ghkCrkAF\NnbQWArkIqSvyE.zip

Filesize
1.0MB

MD5
be819630d05abbe0027586acc86ec0ee

SHA1
f0baf02c470149fce09c11c0dc2d527f0f8810f7

SHA256
a5ac83b79041b07247677e0e141b6ced360a74f767eb8818e730c0b56f8f7fe2

SHA512
39e43f2b8bfdcfcd78c83a9170b31a5f0b11e834455cd418ae1c46d2514f43cbe02fe0d5a3f7b0d9d6fabee16b8c310fb32e36e4bc2344d99b15b4f97ee64f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkCrkAF\_Files\_Files\SetOut.txt

Filesize
1024KB

MD5
35f45815d35df6f05da9092a702d9b3c

SHA1
718e1d29eba0d2946f1fb222208f557510c575cb

SHA256
365892642679a7ade9cd15a03e46ac6760ba5118b735fa95d194e7084b21ebf1

SHA512
223b13ebd966f354766df50c0e0774d38283e8b19001e621085c2de8553aedd6e9c72c10ac8694f5002f9e69edac69cb4977e3492955ea6a97fd36a66fbf8c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkCrkAF\_Files\_Information.txt

Filesize
1KB

MD5
7115c4a142906d8cbf459a1bbcd9fab8

SHA1
3574a50e692fedc5d3d997b49a50d668f65050de

SHA256
56c57eb261651ef8b1c98f2b237e514aa0a0b5c93f6b24c0ae21359305d36c59

SHA512
7229ef547011f0e428cdf8237d4bb30eb8faab31bed330a690371bdd329029a039444ab6c9bc9f52da5818fb703d6438f4bd154dd6c5dc88e857190214dae0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkCrkAF\_Files\_Information.txt

Filesize
3KB

MD5
76b27a62c915338c0e313ece5bdc69e8

SHA1
6003a3cf4c9e4e96b9223ce8ea155fbd3d565882

SHA256
151469f822f4cb3de58f62f29def7eda550b55942a9791499bdc9cf0dbf397c7

SHA512
3691f4d2ea4aafcdaf526449d01ee0e408ef437c894cace1c054fb4b5088936f85dff897212cd9d37965f2c15ae96df4f7e6be1bbe1a853ee02d20edcf244ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkCrkAF\_Files\_Information.txt

Filesize
4KB

MD5
cd327f37b28c0a05e5a4d599b8aaf278

SHA1
1d82e8bc880b0b810b49e49cc11275b07155ec5d

SHA256
387ef39e6a16699f1083b5307d395d118c0a6964a24dc8dc0bb524d41489cca4

SHA512
d27a80dd3879024d5c9d6e9b975f49c889b5680e1131f277a237a450e106918dc5896a705d1af093aaddde4895e7a151a82d599f9ad204c667eaf4dd52a77626

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkCrkAF\_Files\_Screen_Desktop.jpeg

Filesize
52KB

MD5
8cad22be94cc22fbf154046de86e7022

SHA1
b4eb71f38a8478067080a858fd70a2a44e7716ff

SHA256
f5a28b61fef0ea62fe2f8a527bd5a4c923a143159466429ddb2289f8730520d4

SHA512
300e8278d1472bdc18929cb4db9f87ace9a2812c13c897b0b8035f855c076ee9ad6dd28b5f5111ff8b3c9f7dc618db879cc2bfbee97361ee077be3c36f086a92

Download Submit
memory/2396-123-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-134-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-122-0x0000000003080000-0x00000000030A5000-memory.dmp

Filesize
148KB

Download
memory/2396-124-0x00000000030B0000-0x00000000030F5000-memory.dmp

Filesize
276KB

Download
memory/2396-0-0x0000000003080000-0x00000000030A5000-memory.dmp

Filesize
148KB

Download
memory/2396-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2396-128-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-1-0x00000000030B0000-0x00000000030F5000-memory.dmp

Filesize
276KB

Download
memory/2396-131-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2396-138-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-141-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-144-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-147-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-150-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-153-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2396-156-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download

Analysis

Sharing