cryptbot | Set-up-1[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

Set-up-1.exe
Size

12.2MB
MD5

b7f95a6fba7ee898425a69ffd2b6c204
SHA1

d995e2ed97947778c489f6384ba3af0f4343c0bc
SHA256

8b6a0a8d8594fb4f465a8220533a8cbf25fb725220dfc35056c7787b27d89643
SHA512

3b9d35e20161767dabea7bda5ed7db3f63ce738e0934965695dedf1f7487fc092c0e2fe3cf35b9656f521c2ab9e30596cda49d38c7ace360ff2b2b0e52930b59
SSDEEP

196608:1MRd/45eJp2M0lVasW4PEaYjxR3eYr4+hn:tf7CxwAn

Score

10^/10

spyware stealer cryptbot

Malware Config

Signatures

Cryptbot family
cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
sample	family_cryptbot_v3

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Set-up-1.exe

Files

Set-up-1.exe
.exe windows:4 windows x86 arch:x86

50bc89909d52e5bde65d83f33166faf1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CryptAcquireContextA
CryptAcquireContextW
CryptCreateHash
CryptDecrypt
CryptDestroyHash
CryptDestroyKey
CryptEnumProvidersW
CryptExportKey
CryptGenRandom
CryptGetHashParam
CryptGetProvParam
CryptGetUserKey
CryptHashData
CryptReleaseContext
CryptSetHashParam
CryptSignHashW
DeregisterEventSource
RegCloseKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegisterEventSourceW
ReportEventW
SystemFunction036

bcrypt

BCryptGenRandom

crypt32

CertCloseStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertGetNameStringA
CertOpenStore
CertOpenSystemStoreA
CertOpenSystemStoreW

iphlpapi

ConvertInterfaceIndexToLuid
ConvertInterfaceLuidToNameA
FreeMibTable
GetAdaptersAddresses
GetBestRoute2
GetUnicastIpAddressTable
if_indextoname
if_nametoindex

kernel32

AcquireSRWLockExclusive
CancelIo
CloseHandle
CompareFileTime
ConvertFiberToThread
ConvertThreadToFiberEx
CreateEventA
CreateFiberEx
CreateFileA
CreateFileMappingA
CreateFileW
CreateIoCompletionPort
CreateProcessW
CreateSemaphoreW
CreateThread
DeleteCriticalSection
DeleteFiber
DuplicateHandle
EnterCriticalSection
ExpandEnvironmentStringsA
FindClose
FindFirstFileW
FindNextFileW
FormatMessageW
FreeLibrary
GetACP
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentVariableA
GetEnvironmentVariableW
GetFileAttributesA
GetFileSize
GetFileSizeEx
GetFileType
GetLastError
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetOverlappedResult
GetProcAddress
GetQueuedCompletionStatusEx
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount64
GetTickCount
GetVersion
GetVersionExA
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
MapViewOfFile
MoveFileExA
MultiByteToWideChar
PeekNamedPipe
PostQueuedCompletionStatus
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleA
ReadConsoleW
ReadFile
RegisterWaitForSingleObject
ReleaseSRWLockExclusive
ReleaseSemaphore
SetConsoleMode
SetFileCompletionNotificationModes
SetFilePointerEx
SetHandleInformation
SetLastError
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableCS
SleepEx
SwitchToFiber
SystemTimeToFileTime
TlsAlloc
TlsGetValue
TlsSetValue
UnmapViewOfFile
UnregisterWait
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualFree
VirtualLock
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitNamedPipeA
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile
lstrlenA

msvcrt

__mb_cur_max
__setusermatherr
_chsize
_findclose
_fullpath
_lock
_unlock
fputwc
localeconv
vfprintf
_stat
_findnext
_findfirst

shell32

ShellExecuteA

api-ms-win-crt-convert-l1-1-0

atoi
atol
atoll
strtol
strtoll
strtoul
strtoull
wcstombs

api-ms-win-crt-environment-l1-1-0

__p__environ
__p__wenviron
getenv

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_mkdir
_stat64
_wstat32i64
remove
rename
_unlink
_chmod

api-ms-win-crt-heap-l1-1-0

_set_new_mode
calloc
free
malloc
realloc

api-ms-win-crt-locale-l1-1-0

setlocale

api-ms-win-crt-math-l1-1-0

_fdopen

api-ms-win-crt-private-l1-1-0

memchr
memcmp
memcpy
memmove
strchr
strrchr
strstr
wcsstr

api-ms-win-crt-runtime-l1-1-0

_set_app_type
__p___argc
__p___argv
__p___wargv
__p__acmdln
__sys_errlist
__sys_nerr
_assert
_cexit
_configure_narrow_argv
_configure_wide_argv
_crt_at_quick_exit
_crt_atexit
_errno
_exit
_fpreset
_initialize_narrow_environment
_initialize_wide_environment
_initterm
_set_invalid_parameter_handler
_wassert
abort
exit
perror
raise
signal
strerror

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__p__commode
__p__fmode
__stdio_common_vfprintf
__stdio_common_vfwprintf
__stdio_common_vsprintf
__stdio_common_vsscanf
__stdio_common_vswprintf
_fileno
_fseeki64
_ftelli64
_lseeki64
_wfopen
_write
fclose
feof
ferror
fflush
fgets
fopen
fputc
fputs
fread
freopen
fseek
ftell
fwrite
rewind
setvbuf
_write
_setmode
_read
_open
_open
_lseek
_isatty
_fileno
_close

api-ms-win-crt-string-l1-1-0

_strnicmp
isalnum
isspace
isupper
memset
strcat
strcmp
strcpy
strcspn
strlen
strncat
strncmp
strncpy
strpbrk
strspn
tolower
wcscmp
wcscpy
wcslen
_stricmp
_strdup
_strdup

api-ms-win-crt-time-l1-1-0

__daylight
__timezone
__tzname
_difftime32
_difftime64
_gmtime32
_gmtime64
_localtime32
_mkgmtime32
_mktime32
_mktime64
_time32
_time64
_tzset
strftime
_utime64

api-ms-win-crt-utility-l1-1-0

_byteswap_uint64
bsearch
qsort
rand
srand

user32

CreateDesktopW
FindWindowA
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
SendMessageA
wsprintfW

ws2_32

WSAAddressToStringW
WSACleanup
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAGetLastError
WSAIoctl
WSAPoll
WSAResetEvent
WSASetEvent
WSASetLastError
WSAStartup
WSAStringToAddressW
WSAWaitForMultipleEvents
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyaddr
gethostbyname
gethostname
getnameinfo
getpeername
getprotobyname
getservbyname
getservbyport
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Exports

Exports

main

Sections

.text
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 6.5MB - Virtual size: 6.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 12KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 66B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

50bc89909d52e5bde65d83f33166faf1

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

crypt32

iphlpapi

kernel32

msvcrt

shell32

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

user32

ws2_32

Exports

Exports

Sections

.text Size: 4.1MB - Virtual size: 4.1MB

.data Size: 6.5MB - Virtual size: 6.5MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.eh_fram Size: 68KB - Virtual size: 68KB

.bss Size: - Virtual size: 12KB

.edata Size: 512B - Virtual size: 66B

.idata Size: 11KB - Virtual size: 10KB

.CRT Size: 512B - Virtual size: 48B

.tls Size: 512B - Virtual size: 8B

.reloc Size: 180KB - Virtual size: 180KB

.text
Size: 4.1MB - Virtual size: 4.1MB

.data
Size: 6.5MB - Virtual size: 6.5MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.eh_fram
Size: 68KB - Virtual size: 68KB

.bss
Size: - Virtual size: 12KB

.edata
Size: 512B - Virtual size: 66B

.idata
Size: 11KB - Virtual size: 10KB

.CRT
Size: 512B - Virtual size: 48B

.tls
Size: 512B - Virtual size: 8B

.reloc
Size: 180KB - Virtual size: 180KB