cryptbot | fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820

General

Target

fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe
Size

347KB
MD5

ca5faa77d0bc3a6e946b0b225aef3cb2
SHA1

f604e5b34395b7bbacb23ad6de49b396ad43e4d0
SHA256

fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820
SHA512

8e4146fdcdc681640901100b363e94e1133e11ee2975509d5dfd443f49c0a9d2ab65ed10aad5358c139dbfc0cff7db9a4f2d2edc9ee37cb50bf1677f39231c36
SSDEEP

6144:ZLNfr9ti3Q7FnY3gH+X+0qH77kliXQIxZetZvuyLEHyglIADG8elA:Zhfrbi3Qt+WKBk7giXQfaXxDv

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

veoalm42.top

moruhx04.top

Attributes

payload_url
http://tynjua14.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe

C:\Users\Admin\AppData\Local\Temp\fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe
"C:\Users\Admin\AppData\Local\Temp\fa2e957273059aeebb840921dbbc8857115eeb0277dfad5716b70b26a23aa820.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IGbdpkUishc\QoEWIifATKT.zip

Filesize
1.1MB

MD5
2f18930b5b2db991f7850bd83bbad4bf

SHA1
54889cef2a7db61a7e605ceeef4d9f6f18a0a296

SHA256
af2ade9cfaeae150ca3cf383af3967b5b41216e22b1dddab93d70f806b0faa6d

SHA512
c1289bd6969feb4f8dd33deb7a85d2302a9f4293cb8de0d496e6c15349e5ab98cda1c78ccef73d398b042200970aabb34657263741de1085fe0ed72ebb4346de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGbdpkUishc\_Files\_Files\OpenConvertTo.txt

Filesize
1.1MB

MD5
9ba5436eb24dc273a501d6ea30c10f89

SHA1
b34d92401d936fc3be32f721093a176788e09819

SHA256
bf5783648f26c62688319c4204279caf561f14d3a39090e9f61fc8797ae7ae5b

SHA512
5d5a9b11b89330d79a7656fc15d162ebf0244394da4f79f6260d07cb13c07495665e95f93c94344d0dfc4d2078b630a0b951b2652750e0724ee37f288f74b79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGbdpkUishc\_Files\_Information.txt

Filesize
1KB

MD5
664fe9ae30e3f00c5e772e196d409dc1

SHA1
321a83006f55fd13df585f5a81b076466e829766

SHA256
81b2acb1a0950bf976018ed47f0100a35cdddfcbfc5fd5888ddb579629524105

SHA512
a496a6378990b76a6c6b14a89534117e962ae2c75792b3052089e264314ce331d1801cf66ccf04974f877b62f0ef80a38585196feed8c4b55dfa7b6e4e8cbff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGbdpkUishc\_Files\_Information.txt

Filesize
1KB

MD5
3a1741218130828f7f0981d7adec8ee6

SHA1
d04d15168563b5a053ec618b80e6ad7c317e1bb8

SHA256
f5a0580f77fdbfaf91bee2a472c06b8b99f938c026bef5c78dc9af2cf1951a43

SHA512
4efd19eed526b8a8c54caaeee0c798f1d2cf569dfb67323a5003a34257954cd7664fbc797f499bfa0298813bfa5abf7471822ec304fe0590004d5f94b1b4cc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGbdpkUishc\_Files\_Information.txt

Filesize
7KB

MD5
48c90d264300101926ca98471d457e0d

SHA1
48313316e18220b60deb885f0b7231185d750550

SHA256
12b18314b147b66e2ac180b1220f7222bc49b756c67a733efb7568f82abeb7be

SHA512
cac440716aa68264c47d77a132ff00b1def7602e2e970babbd2f29e4cce661a80b573578c3e3596b2c467821205ad106cb68d371f27f1f4651664ff605d959c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGbdpkUishc\_Files\_Screen_Desktop.jpeg

Filesize
54KB

MD5
167617287cc418516f836079adffdb03

SHA1
79c39db777f5e5528b229eb5d3b241b72aeacc5a

SHA256
579b87ee3df2daacb8de680e1e1d313e798cb543ae7b503184802022cd9baffe

SHA512
96fcb6b421a3678dc48f3be354dd52975da5e0f993c355fa9fb0b8bd1ea57461df12413f5339fefa8c602d534c292851267fdb72b0e9d54eae12de471740e138

Download Submit
memory/2208-128-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-135-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-123-0x0000000002FB0000-0x0000000002FD5000-memory.dmp

Filesize
148KB

Download
memory/2208-122-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-125-0x0000000002FE0000-0x0000000003025000-memory.dmp

Filesize
276KB

Download
memory/2208-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2208-0-0x0000000002FB0000-0x0000000002FD5000-memory.dmp

Filesize
148KB

Download
memory/2208-1-0x0000000002FE0000-0x0000000003025000-memory.dmp

Filesize
276KB

Download
memory/2208-132-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2208-139-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-142-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-145-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-148-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-151-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-154-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-157-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-160-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-163-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/2208-166-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download

Analysis

Sharing