cryptbot | 6c551a1172a33d11b974f02a5e5489f851fcf1899e877c7e59abd2f650526c19

Analysis

max time kernel
151s
max time network
177s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
Size

4.3MB
MD5

7b65065d72848703e2aa7a8788e182f8
SHA1

939281d92b016157bc32a36876a957fa141dcce3
SHA256

1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede
SHA512

cba2b883a103adaf2060138ee58f2e1a98520dca5e55b979584c49e42cf36af5915d5b95c7a00cee04766f9808a9dede3ad31d730f8f9873f44809855e3c30a3
SSDEEP

98304:TNdyDF7++aTkQE/v3+zaAZqgv8uQwr50etXoy6FB/S:TNdyDF7OpNqgvLQWtYlm

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

nkoopw11.top

moraass08.top

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 15 IoCs

resource	yara_rule
behavioral7/memory/1624-281-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-282-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-284-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-286-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-288-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-291-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-293-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-296-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-298-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-301-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-303-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-305-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-307-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-309-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot
behavioral7/memory/1624-311-0x0000000000FA0000-0x00000000014AC000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	drop_9.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2900	cscript.exe
6	2900	cscript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	drop_9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	drop_9.exe

Executes dropped EXE 1 IoCs

pid	Process
1624	drop_9.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	drop_9.exe

Loads dropped DLL 9 IoCs

pid	Process
2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
1624	drop_9.exe
1624	drop_9.exe
1624	drop_9.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	iplogger.org
4	iplogger.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1624	drop_9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drop_9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	drop_9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	drop_9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1624	drop_9.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1624	drop_9.exe
1624	drop_9.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2900	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	30
PID 2896 wrote to memory of 2900	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	30
PID 2896 wrote to memory of 2900	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	30
PID 2896 wrote to memory of 2900	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	30
PID 2896 wrote to memory of 1624	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	32
PID 2896 wrote to memory of 1624	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	32
PID 2896 wrote to memory of 1624	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	32
PID 2896 wrote to memory of 1624	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	32
PID 2896 wrote to memory of 1624	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	32
PID 2896 wrote to memory of 1624	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	32
PID 2896 wrote to memory of 1624	2896	1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe	32

C:\Users\Admin\AppData\Local\Temp\1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
"C:\Users\Admin\AppData\Local\Temp\1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\cscript.exe
  "cscript.exe" s1.vbs //e:vbscript //NOLOGO
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\sib8326.tmp\1\drop_9.exe
  "C:\Users\Admin\AppData\Local\Temp\sib8326.tmp\1\drop_9.exe" /s
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz81DE.tmp\Sibuia.dll

Filesize
524KB

MD5
6a3c3c97e92a5949f88311e80268bbb5

SHA1
48c11e3f694b468479bc2c978749d27b5d03faa2

SHA256
7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

SHA512
6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib8326.tmp\0\s1.vbs

Filesize
128B

MD5
1cf3e84b845eb5445709cfe1ddc132f7

SHA1
3a7949cb63194b5b5104efa14db9ef7a0a98a75c

SHA256
375c39454e63e5be7265734d48eca452dd841c71fceec240795d22e8b9bde9f0

SHA512
86616c5df3c1fae184cf0d0f0d8051dfcbf4c843f07a93da9eeb16d27a38e28acf72b1dab7ffcff56e07f672f0b5c41c036f6b59f9ab4fb78abcacd522ad6249

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk1lZnKJUk\_Files\_Information.txt

Filesize
4KB

MD5
09ee6b6cf09097c24a58f4750e3cbb98

SHA1
2bc7d82afd4b4f63a66b6aca9578128578277117

SHA256
7676d5d08d70a99ef58aab569864a3396ce6fe3ca105c18cbcb61313fd15ac07

SHA512
94b97168f200718477c8a5a50de52245bbaf046052d0c784b7c4a7319d38a7f1fe8a482c173e2b4bf7aac78779103664767642f82ad68c3719e3b03ea187a681

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk1lZnKJUk\_Files\_Information.txt

Filesize
1KB

MD5
65e4389702e976a6a9cf711a97589e44

SHA1
e4865f24f9d99f99bfa9de47dac7206eda04f393

SHA256
138c7f9ac9e877f47bc62f112fa226fbe1fc7a0d0425d976d99302a532f76170

SHA512
25bf64199f2935145123cfa21366685b23ca60026cc9dc04a8491fb217d7d307d55c8bfd037bb731491e13cf951c43747a63b7b53f38d038d48116a68d206c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk1lZnKJUk\_Files\_Information.txt

Filesize
3KB

MD5
c52f8e8db61a2a7160eba0ff4bd26c75

SHA1
c220718ee275840a3265cb090687b9b5383a85b9

SHA256
80cd11fad20d5e119137518fad9e0245178aa586bd920ce6fbf955c686d25562

SHA512
85e06443d5812342823c02681717a1cda51442f8894d081d4600c0a32f343580c2a572e70820d0eb6f1d2f849ee4ae032062e3cf7d518be84734d5777913ca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk1lZnKJUk\_Files\_Screen_Desktop.jpeg

Filesize
43KB

MD5
2769a6b33a2e8826e18bbe0f0a903a1c

SHA1
1b6f561a0a0668b398e9de68ea4430869b831c21

SHA256
e0765c43640160ff46672d58fc2d2c8eec0a1056e073f726e8ff2d3420a59ec4

SHA512
70a4fe6d358fbd5ec4c6b05092876ed9419336bbb7b6e45184f01c4335cd7e10284f5a062f78495704b87eebf8336d2e0d4f8872679b69e0ca759353b5e9e704

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk1lZnKJUk\f8hG7sVD0Td.zip

Filesize
36KB

MD5
e0a38577a2b8e2fe7fc1c8be637a0612

SHA1
f5ba18995fd8e3f4e1a2dbd8ddc74d81cb7f2f9f

SHA256
82e9418f111a80c4e4f87429f072522b895e0d4f732aaff8e260935f538a5204

SHA512
38d1ab5a907ef8e8c319d5fdfee88cb22f0dd2383706b230f9e692a1abef2833d0b297e75bfcafb6831f7fc1d3bf5e83c15eb157a234ab888b6a57d310248e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk1lZnKJUk\files_\system_info.txt

Filesize
1KB

MD5
eec32ed06ac98308135c9703453ede80

SHA1
f0e6a4ef66de385220fb5dad76400611589bcf74

SHA256
0d85a7d0d4958e9cebbf9792763eff4f4ff049922ad4ee70ba9fea878b1ccd00

SHA512
c0f7471b0b7aeef08cdf9b197a0d1b404a32b1889d17d10ca28dacf70bab2345f7dfed18bed0a5bc217c0d8d32c1c9bb8b13339a13eed0b53c0f53dabfb65307

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk1lZnKJUk\files_\system_info.txt

Filesize
3KB

MD5
01b6c395ccafc7e40de86e0ddfe151a2

SHA1
8be994fb1bcc965a08f683fcfa468fc4d62eef9d

SHA256
85feedcaecb6359ac374d286b9e85bc17db1e77038638b1cf4e90a4b6f712057

SHA512
6015c1bbb6ec96fb91baa973e38d7d37161cc59649baefd4e86abdbbd0e92909b071c47ea130789243384a3ee71e22ec76d586ec8263758245d35e32aa356805

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk1lZnKJUk\files_\system_info.txt

Filesize
4KB

MD5
44b051b824cf54051ca18c77cf50b7dd

SHA1
eeda2e0829a3504a4395b1e42ecd9b9662f654c9

SHA256
0a3c1c4a826f6073711642b3d48bf1f1f3d7933d22e1e475985f19e0294244c8

SHA512
1f4ad8f9abff60b9f524310c02b15d6b51c9aad8e3faa268a9a357a96eaaec0e32cd7926eff2f92439e11f4790f90a802f3f99c3d2c21c5ad9ca98998fde9869

Download Submit
\Users\Admin\AppData\Local\Temp\sib8326.tmp\1\drop_9.exe

Filesize
2.1MB

MD5
ed71169dab161fb6c36c7b74e9abc06b

SHA1
5b46dd11936835f69804c91417052400bd3c5987

SHA256
2e0598f56a2e828f1369af9120aa1561d8e0a367879e555f5b2ef9a433007566

SHA512
62e70ff27257b363dfa50295ddc2e8af1f8750c5faf14a172fc1ff1cfc040a832075e169d2308766a21fc3b96b6232b04102db805ff31e4f601f0113b62c1085

Download Submit
\Users\Admin\AppData\Local\Temp\sib8326.tmp\SibCa.dll

Filesize
4KB

MD5
9387a23581b2d69d911958e615a65481

SHA1
c7477e70b87f168bc30e29446e0a7f9c7fd20b3e

SHA256
85930be70ceb7d6a4933558dde9d91f84b12db4a9f8515f949fecfb4b1609bc2

SHA512
846e3bb85f81fce9be861e5f9edce3dd8a080fcbc4052cf281723b659ab86fa5d17500ec799873b0b5f6a2a7d14773577fee74f64e2f88f5c212345b7a44052f

Download Submit
\Users\Admin\AppData\Local\Temp\sib8326.tmp\SibClr.dll

Filesize
51KB

MD5
5ea6d2ffeb1be3fc0571961d0c4c2b5f

SHA1
902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

SHA256
508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

SHA512
e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

Download Submit
memory/1624-59-0x0000000000900000-0x0000000000E0C000-memory.dmp

Filesize
5.0MB

Download
memory/1624-301-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-311-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-309-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-58-0x0000000000900000-0x0000000000E0C000-memory.dmp

Filesize
5.0MB

Download
memory/1624-307-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-305-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-303-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-57-0x0000000000900000-0x0000000000E0C000-memory.dmp

Filesize
5.0MB

Download
memory/1624-286-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-298-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-296-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-53-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-293-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-291-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-288-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-281-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-282-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/1624-284-0x0000000000FA0000-0x00000000014AC000-memory.dmp

Filesize
5.0MB

Download
memory/2896-16-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-10-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2896-24-0x000000000E590000-0x000000000E598000-memory.dmp

Filesize
32KB

Download
memory/2896-17-0x0000000010950000-0x0000000010A0A000-memory.dmp

Filesize
744KB

Download
memory/2896-50-0x0000000028980000-0x0000000028E8C000-memory.dmp

Filesize
5.0MB

Download
memory/2896-172-0x0000000028980000-0x0000000028E8C000-memory.dmp

Filesize
5.0MB

Download
memory/2896-14-0x000000000E540000-0x000000000E552000-memory.dmp

Filesize
72KB

Download
memory/2896-15-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-63-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-62-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-61-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2896-18-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-60-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download