cryptbot | 5af391be90cda339cdd429d328f31292dd1018dd6817da3a5d989c2641a7050b

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe
Size

740KB
MD5

e458dc2ba9e161ea08ff8bebea2a469e
SHA1

33c3d82ad1a6ae6025f3c6d7230b7182da4b0765
SHA256

a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
SHA512

f798ec39f39ecff88ed5092751e4500f4f7542e74d4b4c118b1dd85c390186d00b543aa9f26d6baf1317993bd7ee360177eb32b5c698d0356be3bbf1cb7d9eb1
SSDEEP

12288:0LbDQ1c1lf8x4vIN92yhfgO8B8dpSfWGklyqJ64Ocg8PZCpdnvkv5:0LXQ1c19e44jgN8dpWWGvw6zcdhIdnvo

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

remdvz22.top

morjgs02.top

Attributes

payload_url
http://sulsxq03.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

resource	yara_rule
behavioral2/memory/2124-2-0x0000000002360000-0x0000000002441000-memory.dmp	family_cryptbot
behavioral2/memory/2124-3-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/2124-231-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/2124-232-0x0000000002360000-0x0000000002441000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2452	2124	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4296	timeout.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2124	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe
2124	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1532	2124	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe	91
PID 2124 wrote to memory of 1532	2124	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe	91
PID 2124 wrote to memory of 1532	2124	a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe	91
PID 1532 wrote to memory of 4296	1532	cmd.exe	96
PID 1532 wrote to memory of 4296	1532	cmd.exe	96
PID 1532 wrote to memory of 4296	1532	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe
"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\PakSFfHB & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1292
  2⤵
  - Program crash
  PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2124 -ip 2124
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PakSFfHB\HIVQHP~1.ZIP

Filesize
246KB

MD5
295c550a25c382000cebdf38e3c6b1c6

SHA1
ca2a7bc66528ad7530ec14aca47d55ab8a5a862e

SHA256
a77b1be3e0112a7808036f297079aaf3075261c94cfce4a1135e14fdf3ac115a

SHA512
edae73376bfb9e6a65d83bca34bc18c80581d3bacd2a4194d8e8e3b6ba524165bc7d9bd829c211058c1ee556142f113b79f9ab8b3645c3f4844ee52f18a26c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\QKCIBO~1.ZIP

Filesize
246KB

MD5
aefb7628602aa8d9d6f05026113250da

SHA1
5fde31dc669379440c53b01d054aee7e331ce2b9

SHA256
529f06f040cfb5139d92bf46f96e8e6710426b1ac84a73df93f472ad0cc4c267

SHA512
1f262492a543827420bec1d69ba0cee49bb345fc84c1417611f4db68678c8a3dd1c87851cd4ba9c2d558cfa34c1831e4a7860075c322e50776664a255b55afb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\_Files\_Files\ConfirmUndo.txt

Filesize
200KB

MD5
2c180a1c027b9ef4cb4d547711599fb5

SHA1
91e64861007bc19708976cc0435195ab80294427

SHA256
08086384d80819cdec75a2e0aebeb2dd4f9a4137e2cdfa830d4cb8a59eda2091

SHA512
386ec37e9abaeb365e4dd788084b9db048ce21b2fb4547ccbf5a11921a31d26dc8b2a56c0c2f86c5e66beef335afcb3762e5fcdd938de1eaa1c13bcfe8b36819

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\_Files\_INFOR~1.TXT

Filesize
7KB

MD5
3d62c9262e60e17f6518df2562f67082

SHA1
ae808083b5d0c25483d417c8d19dbdf3241e0325

SHA256
e97013cdd059617f3fa8f2bb20dedeab7fe26d99e72d69f9a83bfded96c5b82b

SHA512
936a7986f3f363b72de50a4ab07de2b7b9cfeaa80064e4ebf6c3d350579cd03081dbf15ef50ed90673eb73b4c03dd3d40cd2a6035dd0a6e74803f9523c51d6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\_Files\_Information.txt

Filesize
1KB

MD5
22625fc24b44f2ffb71ef73ee16296be

SHA1
e89c8edbc27b60a358978ab54cad9695ce451d71

SHA256
54b329247e0554ab487da4d9a43a750b9bec9a648796ee20bb3f75d03a1df49e

SHA512
80f911658a61a2de1fbb0cd3b7bb5aaca920e0425243c62e0e4396d1861e583b268350fd5981edbeb63f2b7005390dbaefb87bc7b7e0afcba69392b6e84451d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\_Files\_Information.txt

Filesize
4KB

MD5
5358d76849455be26e4f4c8b919e722c

SHA1
66c784b3916e1c514ed999782c650b329cc39621

SHA256
ee469ce92647293a8e070ddd2e8da295826b55db4bbf265796bcbda1da07a672

SHA512
709ff675d830f1e9b7e08667e3dc77648f8e40f924fe2c129c2c050cecfcb42da2f878359e5c409dd21c1f9ae713d8e4399c1700615f86d4c5ee0059d05f5ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
89e73106265232bd1c7c5b61f9242623

SHA1
4d998354f37927776881dbee985a7f00e2237bc5

SHA256
bd686dc1008378a2b9f151096335d28889a86336af11daedf1f4b44bbe567688

SHA512
e709fd8583718a45aa98aae00439e0010e02e9e23216202f542c92ae18b58eecf7b618c380cf3eb9188df3b21bc62d0742d808a7f669f541cb1604beacdb754d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\files_\SYSTEM~1.TXT

Filesize
7KB

MD5
8533cb428fd9e02f285cfb1c90be198c

SHA1
bfd299c369eec023ad5ecf2c563b6406a20b5a09

SHA256
0c4df0f4abc228d1faecb6d16f99748f93d987c1183d257beed625d0eeef2c88

SHA512
ba8345c9dd68b888188af6cd1e0dbc6f602772a23435cfadd15260740ea4cf96a3999ba55ee2286beea0e6faf79b104f242ff7fd4f2fc7911abe0343ed5fd4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\files_\system_info.txt

Filesize
1KB

MD5
fc396ae774fe50e2ea9f57d34fb261fc

SHA1
e7dcbf74f497b2d01a5b00afa8da9df2cdc0719c

SHA256
d158f617730c8492b674e5099bfe7ed484b57b8ae360a768cc56a2615fa23b56

SHA512
ade5d60e79e71cb950e6f52f5e59c29959528cc5ee151b74c4080553f554be1cd1eb6630247bab67e94eb66a856462c0805be6d0d96eac6d850abd41743c5fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\files_\system_info.txt

Filesize
3KB

MD5
fbbae85859e075bc9db18f22293d2348

SHA1
1e7a3c7d2b3020e4b84542e9d11207cbd6a0dc70

SHA256
442b86be94c23544f850e129f6a779eafff4dc52fe12645d83bcde8fd3e16f27

SHA512
4419bfe2baebcc11f8b8c54368f56cef77255c4c52d2b65fbeb68db0fc29c20fd1a30d0e8a767b114c33c222b13316bde21fd40508ae148e80e384a79b6256dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PakSFfHB\files_\system_info.txt

Filesize
4KB

MD5
df419f636d12ef5b386267dfd9e0eb80

SHA1
820a778dde417cf1a5c27364c98951cbe1ff1d39

SHA256
8f5f289bf8f07ba2ed23fe567fc33d16e565250c6903acada1a1a330eddce68d

SHA512
9e177f51796b73bae0409a7b926fbc4a3628dab530cf14a9acc0d8fb696179ddcb7617c53f9c937d54a0723efc5e8af199a1a6884f00cc2580a880eea5018512

Download Submit
memory/2124-231-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2124-232-0x0000000002360000-0x0000000002441000-memory.dmp

Filesize
900KB

Download
memory/2124-230-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/2124-1-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/2124-3-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2124-2-0x0000000002360000-0x0000000002441000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads