cryptbot | 0a711206f96133c8d28cd99b5910d705[.]bin

Sharing

Copy URL

Twitter E-mail

General

Target

0a711206f96133c8d28cd99b5910d705.bin
Size

2.7MB
MD5

250927885f1275ad0cf8436f944a557f
SHA1

2311d38f568c2d3d8c1cba73e2726fa57499855a
SHA256

ba14eb0e57c8e99fa4bc718a83d4120dff5e7e15c7056734aefebdf50b30cd71
SHA512

1d4844260707108c52233e09fd88b363a6ac36660841c64e1cdb4d1a744ac0457e66004dd2c9afb0398952e402229cf0d531457b19fb7a0b5995e41675b7a84d
SSDEEP

49152:PeDHKmdb3h7GTVTRBtdjCp+PwMND/KK0PFfRS93//XgSdeXZFQvNN:Iqmdbx7GRTRBt9nPwM9/KK0Pq93HwLo

Score

10^/10

spyware stealer cryptbot

Malware Config

Extracted

Family

cryptbot

Signatures

Cryptbot family
cryptbot

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
static1/unpack001/3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe

Files

0a711206f96133c8d28cd99b5910d705.bin
.zip

Password: infected
3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
.exe windows:4 windows x86 arch:x86

Password: infected

81fb24115d5dd0de51b609f733724901

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CryptAcquireContextA
CryptAcquireContextW
CryptCreateHash
CryptDecrypt
CryptDestroyHash
CryptDestroyKey
CryptEnumProvidersW
CryptExportKey
CryptGenRandom
CryptGetHashParam
CryptGetProvParam
CryptGetUserKey
CryptHashData
CryptReleaseContext
CryptSetHashParam
CryptSignHashW
DeregisterEventSource
RegCloseKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegisterEventSourceW
ReportEventW
SystemFunction036

bcrypt

BCryptGenRandom

crypt32

CertCloseStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertOpenStore
CertOpenSystemStoreA
CertOpenSystemStoreW

gdi32

BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
SelectObject

gdiplus

GdipGetImageEncoders
GdipGetImageEncodersSize
GdiplusShutdown
GdiplusStartup

iphlpapi

ConvertInterfaceIndexToLuid
ConvertInterfaceLuidToNameA
FreeMibTable
GetAdaptersAddresses
GetBestRoute2
GetUnicastIpAddressTable
if_indextoname
if_nametoindex

kernel32

AcquireSRWLockExclusive
CancelIo
CloseHandle
CompareFileTime
ConvertFiberToThread
ConvertThreadToFiberEx
CreateEventA
CreateFiberEx
CreateFileA
CreateFileMappingA
CreateIoCompletionPort
CreateMutexA
CreateSemaphoreW
CreateThread
CreateToolhelp32Snapshot
DeleteCriticalSection
DeleteFiber
EnterCriticalSection
ExpandEnvironmentStringsA
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileW
FormatMessageW
FreeLibrary
GetACP
GetConsoleMode
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetEnvironmentVariableA
GetEnvironmentVariableW
GetFileAttributesA
GetFileType
GetLastError
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetQueuedCompletionStatusEx
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount64
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsBadReadPtr
IsDBCSLeadByteEx
K32EnumProcesses
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
MapViewOfFile
MoveFileExA
MultiByteToWideChar
OpenProcess
PeekNamedPipe
PostQueuedCompletionStatus
Process32First
Process32Next
QueryFullProcessImageNameA
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleA
ReadConsoleW
ReadFile
RegisterWaitForSingleObject
ReleaseSRWLockExclusive
ReleaseSemaphore
SetConsoleMode
SetFileCompletionNotificationModes
SetHandleInformation
SetLastError
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableCS
SleepEx
SwitchToFiber
SystemTimeToFileTime
TlsAlloc
TlsGetValue
TlsSetValue
UnmapViewOfFile
UnregisterWait
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualFree
VirtualLock
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitNamedPipeA
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile
lstrlenA

msvcrt

__mb_cur_max
__setusermatherr
_findclose
_fullpath
_lock
_strnicmp
_unlock
getc
islower
isxdigit
localeconv
ungetc
vfprintf
_findnext
_findfirst
_open

ole32

CreateStreamOnHGlobal

shell32

SHGetKnownFolderPath

api-ms-win-crt-convert-l1-1-0

atoi
mbstowcs
strtol
strtoll
strtoul
wcstombs

api-ms-win-crt-environment-l1-1-0

__p__environ
__p__wenviron
getenv

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_stat64
_unlink

api-ms-win-crt-heap-l1-1-0

_set_new_mode
calloc
free
malloc
realloc

api-ms-win-crt-locale-l1-1-0

setlocale

api-ms-win-crt-math-l1-1-0

_fdopen

api-ms-win-crt-private-l1-1-0

memchr
memcmp
memcpy
memmove
strchr
strrchr
strstr
wcsstr

api-ms-win-crt-runtime-l1-1-0

_set_app_type
__p___argc
__p___argv
__p___wargv
__p__acmdln
__sys_errlist
__sys_nerr
_assert
_cexit
_configure_narrow_argv
_configure_wide_argv
_crt_at_quick_exit
_crt_atexit
_errno
_exit
_fpreset
_initialize_narrow_environment
_initialize_wide_environment
_initterm
_set_invalid_parameter_handler
abort
exit
raise
signal
strerror

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__p__commode
__p__fmode
__stdio_common_vfwprintf
__stdio_common_vsprintf
__stdio_common_vsscanf
__stdio_common_vswprintf
_fileno
_fseeki64
_lseeki64
_wfopen
_write
fclose
feof
ferror
fflush
fgets
fopen
fputc
fputs
fread
fseek
ftell
fwrite
rewind
setvbuf
_write
_setmode
_read
_open
_fileno
_close

api-ms-win-crt-string-l1-1-0

_strlwr_s
isspace
isupper
memset
strcat
strcmp
strcpy
strcspn
strlen
strncat
strncmp
strncpy
strpbrk
strspn
tolower
wcscat
wcscmp
wcscpy
wcslen
_wcsnicmp
_stricmp
_strdup
_strdup

api-ms-win-crt-time-l1-1-0

__daylight
__timezone
__tzname
_difftime32
_difftime64
_gmtime64
_mktime64
_time32
_time64
_tzset
strftime

api-ms-win-crt-utility-l1-1-0

_byteswap_uint64
bsearch
qsort
rand
srand

user32

CharUpperA
EnumDisplayMonitors
EnumWindows
FindWindowA
GetDC
GetProcessWindowStation
GetSystemMetrics
GetUserObjectInformationW
GetWindowTextA
MessageBoxW
ReleaseDC
SendMessageA

ws2_32

WSACleanup
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAGetLastError
WSAIoctl
WSAResetEvent
WSASetEvent
WSASetLastError
WSAStartup
WSAStringToAddressW
WSAWaitForMultipleEvents
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyaddr
gethostbyname
gethostname
getpeername
getservbyname
getservbyport
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Sections

.text
Size: 4.7MB - Virtual size: 4.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 12KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 202KB - Virtual size: 202KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

81fb24115d5dd0de51b609f733724901

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

crypt32

gdi32

gdiplus

iphlpapi

kernel32

msvcrt

ole32

shell32

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

user32

ws2_32

Sections

.text Size: 4.7MB - Virtual size: 4.7MB

.data Size: 1.4MB - Virtual size: 1.4MB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.eh_fram Size: 19KB - Virtual size: 19KB

.bss Size: - Virtual size: 12KB

.idata Size: 11KB - Virtual size: 11KB

.CRT Size: 512B - Virtual size: 48B

.tls Size: 512B - Virtual size: 8B

.reloc Size: 202KB - Virtual size: 202KB

.text
Size: 4.7MB - Virtual size: 4.7MB

.data
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.eh_fram
Size: 19KB - Virtual size: 19KB

.bss
Size: - Virtual size: 12KB

.idata
Size: 11KB - Virtual size: 11KB

.CRT
Size: 512B - Virtual size: 48B

.tls
Size: 512B - Virtual size: 8B

.reloc
Size: 202KB - Virtual size: 202KB