cryptbot

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_99932e6dbe1103e83b0468d11bda2808d22d5522f91b78ca6a3c06a5a85b3210
Size

26.4MB
Sample

241222-pm674syldr
MD5

ec5f4896ebbf4f99479a7cf67702a7fe
SHA1

02370898972b286ba636a3b9a5e81eb8a0c2f332
SHA256

99932e6dbe1103e83b0468d11bda2808d22d5522f91b78ca6a3c06a5a85b3210
SHA512

d083822f13472743850924015481532c26dd1c1446f5161d10dd9594f14da75ab7f529607ca56e230f36b552d095d3a974b855475cec3f466894271f7c49789e
SSDEEP

786432:QeZCIX99poc0nbMlFgd4xImQbFngvqOdXS:QeQ48c0bMDzQbFgvddXS

Score

10^/10

Malware Config

Targets

- Target
  
  144755cf70a3ef6c0212c49645891c53ce926ad7e3e626016023d6aecc484372
- Size
  
  9.0MB
- MD5
  
  803d222204c0cd0414b87ec11fa0b012
- SHA1
  
  96023416083824f1b4c83161e9c4d6a5197631d6
- SHA256
  
  144755cf70a3ef6c0212c49645891c53ce926ad7e3e626016023d6aecc484372
- SHA512
  
  f099459e45b115a05a2df128d31a991210279b9a6cb9a4a40b57ecdd4b35442064f4c1390a9ce2c0f6f16b71ce74264ff948c8467b72262dcc21be8e69aea716
- SSDEEP
  
  196608:nTSHflKvlz/1tcko57P7sbsCeQQ3GkGekVH+nxH6+RlDwyM48tnSmgK:nTGflK9z17sE6LxjD7ghgK
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Cryptbot family
  cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  bf712f32249029466fa86756f5546950
- SHA1
  
  75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
- SHA256
  
  7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
- SHA512
  
  13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
- SSDEEP
  
  192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/UAC.dll
- Size
  
  14KB
- MD5
  
  adb29e6b186daa765dc750128649b63d
- SHA1
  
  160cbdc4cb0ac2c142d361df138c537aa7e708c9
- SHA256
  
  2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
- SHA512
  
  b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
- SSDEEP
  
  192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  4KB
- MD5
  
  c7ce0e47c83525983fd2c4c9566b4aad
- SHA1
  
  38b7ad7bb32ffae35540fce373b8a671878dc54e
- SHA256
  
  6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
- SHA512
  
  ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  4ccc4a742d4423f2f0ed744fd9c81f63
- SHA1
  
  704f00a1acc327fd879cf75fc90d0b8f927c36bc
- SHA256
  
  416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
- SHA512
  
  790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
- SSDEEP
  
  192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  InterVpn/bin/InterVpn/intervpnmix2.exe
- Size
  
  2.1MB
- MD5
  
  e9eb8d2f63357b49faf245057fdc66d1
- SHA1
  
  3ff0a75822d6f351fb6ab1f3efe894db9ce3f0f1
- SHA256
  
  3ec68f4ebe52f084c10fa533d260beec237f5cb40ac2d7ce0e77860bce8f41e5
- SHA512
  
  14da458ac137a62c1125ed9e2d9c0501d183cc6a948bed82d2d46c449880304a8b7adda32e30caf9b4404eb8b3a16e51b9d3e8e35f0a67bf34e9ff96335c7f81
- SSDEEP
  
  49152:Stndlh65vE6SZMn290zB9MCtJwzEBn+JiAW7ujqKAUkOoYApnHZRMz7:uDYNtJ6JHd+EMpHZRs
Score

9^/10

discovery evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11 behavioral12
- Target
  
  InterVpn/bin/InterVpn/vruns.exe
- Size
  
  2.1MB
- MD5
  
  1490ea3019282b9fd5825bfd6f73b1cf
- SHA1
  
  fa2c9a028db4dd83fa80fef8c90ca2bf34dc881d
- SHA256
  
  8f01777956479851c4c5dd06845ba0d4561b2a085472460447d10b46d4b89487
- SHA512
  
  bdf82235c3a3b94360c4e2507c6adb07d1731fff16b9d9038f9faed34ee55d60b70d9ca24a2f2baba7fcd4c95716d52590ed62a7802c068a8ae35d5213dfaced
- SSDEEP
  
  49152:pqDYHrp6q7Mgk+fSdHspFpgmDHI/LiVN955NjxvtEpAL7Mc:4aPfSdMT1DGgNjxlEp3
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Cryptbot family
  cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14
- Target
  
  InterVpn/bin/liblzo2-2.dll
- Size
  
  170KB
- MD5
  
  748c9e77053d3dec8bf238ae9c56f2ca
- SHA1
  
  eb2d6b4c0188bbf9a587c46e4de30c6e72133153
- SHA256
  
  a14881455c37240928d4ed3d95c44181675f685bc201ea97733dff346c34d97f
- SHA512
  
  31b744a57105d122d2150b5ab793620b73dbc28788be8484fa682e1cf6857f01102034e220b63d5709f6baa44b547df94e2c8aad6b5124b91e105e42d258e40b
- SSDEEP
  
  3072:qFJHDA3pJjFczZLhvZVxxC98SVUrSlUCV7rSJk/LFEc:p3ZIwEc
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  InterVpn/bin/libpkcs11-helper-1.dll
- Size
  
  109KB
- MD5
  
  63b23a24778f3ef27bd53afa3115f901
- SHA1
  
  49fcb47e8ab2dd180dbb946df580794890f5292b
- SHA256
  
  cc9ec9f9a54706d02f63cc4f46ca567812c1f0669451e94096f5358b00893be6
- SHA512
  
  bd7339e3911ab75ddf805555e0f59e65927f1539a5561b22456e25f3d1868fb42d89cd95eaa96c3335fef7d3ec2a21ff7c53f04961fedc5e374f43f4070df58c
- SSDEEP
  
  3072:iTkZbJ/CqOFvICeSPUbT3Xf0j4smxh9QQU7kVTAHluobjrHEN8gE:PaVVeXT3XfVxh9QQU7kVTAHluobjrHEQ
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  InterVpn/bin/openssl.exe
- Size
  
  839KB
- MD5
  
  c83c031e79b4610f1ce6810c3af3e749
- SHA1
  
  60d327ae70ca7ddf93a5d14412be3b21493172c2
- SHA256
  
  90d258ea786e831b8089abf0d98c9a756f62d62b87a6b40f7da9c8881ea0b3cd
- SHA512
  
  49d274c5f4ccddda28751a1a6271888c32188a192b9ad9c224832b51af0b474225d75c6ac51e61438b7a9f956b1ba78fef7a5392759a3d38fc4ddd1d7772e464
- SSDEEP
  
  6144:BPkFXcecHYKlRvECAce+kTICfNE8+Gxafe4WvmlN2Zs5FEWBOOL/HADxU2w6trJs:BccgNSoeAA8wsJwkKBKibN
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  InterVpn/bin/openvpn-gui.exe
- Size
  
  420KB
- MD5
  
  d60536a568fcfdbdf5ffc46c1e22e7fc
- SHA1
  
  7779b4ad53d6f162b11c22cfc0e6788c872a2979
- SHA256
  
  f0a19b073992899ba05b91317aa6522d36344eb0caf5dc09adc11c24e020fb92
- SHA512
  
  dab26e87d66d65e727733e16f3234585f44f8ebbf969c9fd20d4fc55a973820cecfb6218e1b5da98eecdae111473a839cab7b128687808676801bce25558c4c2
- SSDEEP
  
  3072:BM3+qI2lj15GL+RIfOARQw5e4oD6yDpYFG3d0+H2LbYDynkDt2an/8eVvscN2z/5:mhoCb4oKSzK6vyjdNtP
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  InterVpn/bin/openvpn.exe
- Size
  
  710KB
- MD5
  
  cfd7d6bf137c7f68845fe771927201f0
- SHA1
  
  2bfb07e8d5f39a706cd47ae03deee7d2eb4303a0
- SHA256
  
  11d1d48f0994cde7b3bdd273d9bc35f3d5cac7783f75ef81bdd323fe88746f6e
- SHA512
  
  dfbad890037291a534da7c534b49ec70ecc9a044ee0d8508654696819d88b5b4845b81b2e1aecd5475dc62e0d9a0d1c147524c70940a4e96c4e1530e257758d6
- SSDEEP
  
  12288:Hlf0GQe7i+1XwxoKP36gS4koE+ujDoYIWCufSE3iTJ93krUFUmg8fegt:axtS4ko88CCufSE323krUFBg8fegt
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  InterVpn/bin/openvpnserv.exe
- Size
  
  31KB
- MD5
  
  ad4eb6a3fb038c2e215bb06262d4009a
- SHA1
  
  9410b1d326a47b166e36d38436ef6fbb6bda572f
- SHA256
  
  778e25079650d094337df094f4c262528c7d983ead52194795b4b033c17686ae
- SHA512
  
  6dc640730a5724de687b805699e51595a1f08b16bc1596564b89cd580deee7478113a4296c3de677f96d4501f4f40a4e36d7d4c1f6993d4dbb7199b0e6edfa14
- SSDEEP
  
  384:jWZZlmdx9bg7uB2iqfs+xCVaqBCikOGeafT3s7fDWuMBDKBrjQF+CvST5tvDGbK0:jWrlmlbx2XOzAlfra8BD43uwDGbKg1v
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  OpenVPN64/bin/libeay32.dll
- Size
  
  1.7MB
- MD5
  
  ac437e02e5b382f329f95eb241732ee1
- SHA1
  
  c3565cb4455c969437d93b7898de2cd07f8b7741
- SHA256
  
  c73f34a8fcef65c1577b00e87971bf77e4f0d6adf17ac3b5affb93ead384f9a7
- SHA512
  
  3563ffe9711b5b50c9e35f275ae80eff33fd867ecb7a61488e8136832e0854f7c4979dea3eda6b9dbdec5c2347f5a8f1d7e604f7c6db10dad7fb65f6155d31b9
- SSDEEP
  
  49152:K383TiGa1Io86Zwwq0A94y7ZlaAxMx3QfEfra:Kw291Io8soTla/Zfra
Score

1^/10
behavioral27 behavioral28
- Target
  
  OpenVPN64/bin/liblzo2-2.dll
- Size
  
  221KB
- MD5
  
  43aeef5b6ec15683f7bcdc7042767d86
- SHA1
  
  e353824729bbdb198fd0cc4f4773d0a79eb82a7a
- SHA256
  
  16a8734304a6f67b02d74b8eae72053daa204d4f9a8792d2bc74ca8eb1a1ca97
- SHA512
  
  d8e97f5e73c8e8e363272509c54b524d7305f2c4bb76d5d3aeb386225cf585d495a8b635058d245cc47296fdd0dab1c425978a23d51e71bbcb68e57b408e0bd3
- SSDEEP
  
  1536:5luJQbPPmzPQ2Kn8r8FwvLbWj4EuwWiF37/eZ:vzP+P579v/WjWYF37Q
Score

1^/10
behavioral29 behavioral30
- Target
  
  OpenVPN64/bin/libpkcs11-helper-1.dll
- Size
  
  120KB
- MD5
  
  4f53937cc7a8b29dc2727926cc51c35e
- SHA1
  
  bf4173ebe91643c728fd1f23c8c6828e93f8af98
- SHA256
  
  cc2600e135a13ab57f9058246a41900320f0cfc0f91bc7f27706e8cbce4ebddb
- SHA512
  
  e79823028d2ef2071ede0206676886886c18ea9b34bf71b02b384c0258f0164cb2a4769055d5676a1266bcea6687aff84cb17996af8a1cc36a3166584f44d7f3
- SSDEEP
  
  3072:drTfD84ULMskuJiUBpABbr+RixR0QQU7k1TAH1OobTr8qQ1EsQGF3s:RLDnUL6uJrBpAd+8xR0QQU7k1TAH1OoP
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Cryptbot family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

CryptBot

Cryptbot family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32