cryptbot | 791661fa93116cdaab35d2beb8880f8f3ca02a586bd433c97264f8fff305dc3a

General

Target

sample.exe
Size

1.7MB
MD5

e8ae1f3a412dd275335e8f0dc99a06f3
SHA1

9dd718b9536101926ae8e41be15ed1fe629d3d59
SHA256

6c8314cb40fe0f4bb65c307c8128332c62accce1581e1442ee7daac1d1847a85
SHA512

27b409331795ae4ca8bd312306c3465f96eb79c2ef3d27cf283f74d81513fa18c79b81a648143da46eb3838d29aae02654daa76c32254ee5aceb95ca1d7e6824
SSDEEP

49152:y2dYg2a/9AI4WJxMwmQYoiFPbfrJ8SMECXLzZtBtJ1Kvs3U:yWYg2aFASheoiZGJfJsvgU

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

resource	yara_rule
behavioral1/memory/2896-27-0x0000000003B00000-0x0000000003BE5000-memory.dmp	family_cryptbot
behavioral1/memory/2896-28-0x0000000003B00000-0x0000000003BE5000-memory.dmp	family_cryptbot
behavioral1/memory/2896-29-0x0000000003B00000-0x0000000003BE5000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Executes dropped EXE 2 IoCs

pid	Process
2900	Riaprirmi.exe.com
2896	Riaprirmi.exe.com

Loads dropped DLL 2 IoCs

pid	Process
3068	cmd.exe
2900	Riaprirmi.exe.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Riaprirmi.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Riaprirmi.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2064	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Riaprirmi.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Riaprirmi.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2064	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 2184	772	sample.exe	30
PID 772 wrote to memory of 2184	772	sample.exe	30
PID 772 wrote to memory of 2184	772	sample.exe	30
PID 772 wrote to memory of 2184	772	sample.exe	30
PID 2184 wrote to memory of 3068	2184	cmd.exe	32
PID 2184 wrote to memory of 3068	2184	cmd.exe	32
PID 2184 wrote to memory of 3068	2184	cmd.exe	32
PID 2184 wrote to memory of 3068	2184	cmd.exe	32
PID 3068 wrote to memory of 2068	3068	cmd.exe	33
PID 3068 wrote to memory of 2068	3068	cmd.exe	33
PID 3068 wrote to memory of 2068	3068	cmd.exe	33
PID 3068 wrote to memory of 2068	3068	cmd.exe	33
PID 3068 wrote to memory of 2900	3068	cmd.exe	34
PID 3068 wrote to memory of 2900	3068	cmd.exe	34
PID 3068 wrote to memory of 2900	3068	cmd.exe	34
PID 3068 wrote to memory of 2900	3068	cmd.exe	34
PID 3068 wrote to memory of 2064	3068	cmd.exe	35
PID 3068 wrote to memory of 2064	3068	cmd.exe	35
PID 3068 wrote to memory of 2064	3068	cmd.exe	35
PID 3068 wrote to memory of 2064	3068	cmd.exe	35
PID 2900 wrote to memory of 2896	2900	Riaprirmi.exe.com	36
PID 2900 wrote to memory of 2896	2900	Riaprirmi.exe.com	36
PID 2900 wrote to memory of 2896	2900	Riaprirmi.exe.com	36
PID 2900 wrote to memory of 2896	2900	Riaprirmi.exe.com	36

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Palme.pptx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^afFlggFLbJFsDNAfJSVgbojKkIWOZApycnsavZoodTulHqpnyHZBBqOprVZGsRLXAmVyviSKJNXDweelnbJaAHDcJifBZCQm$" Fummo.pptx
      4⤵
      System Location Discovery: System Language Discovery
      PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
      Riaprirmi.exe.com X
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com X
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2896
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.pptx

Filesize
894KB

MD5
fb3eedc237bcd9e8b3dbd243fb44df97

SHA1
bdacf4c39747376f597540b7a945fdf3546ca1ba

SHA256
0ef6c6178b1e38494dac9cbdf93079f36eb3606fdb943b2764544a278de3d741

SHA512
a3eb1da9217ce597a6c486161f93083f7179e93fb2de9d2b71e937c67910a4b503e47b4ce3f312477e8e4a3b54248f8342779ce12125e15c70ed0d41c489873a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fummo.pptx

Filesize
872KB

MD5
eb070a58d3fa7694f2ab534c8444f14b

SHA1
c5b6d3035ca3e85ea8d07977cbc87731c4bd4d86

SHA256
6d7ebfa3caadf591892583ff214e4235c1493a002a9e284dfe9cdd3c73e6650e

SHA512
674b99d046feaacc6abfd44ac3a349cf9b5ac47c76e15063e7d810bee038b98507a1e6a004a3b378cafb855321f5fe881b8deb6b326e59b74cb239d9320855ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gli.pptx

Filesize
568KB

MD5
3b8fc1dc6f3ef4273165994c6816f7d8

SHA1
36e1a04a69d0b65320adadf726aa505131a7d22c

SHA256
0e633c60415e22a9a60316c8b7a731ceda98955db1fd8f3f664b7750fca74b44

SHA512
c4f6b2276ba0e2fcded7585eba2dee6cacf267083e9661c3a653a2c1e832a54f89ca1e2254554c47418b6ea8f3f75ee7f5a812ca91b744c96fb3e87a82d27246

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Palme.pptx

Filesize
353B

MD5
143248a4649a30656e98074c8ca159a5

SHA1
d6595b66a26c008df3663edda3fc107002b51796

SHA256
03b9bfc6d9b9afa9dc6f6e9294f78e0750f0cc3250482356942cfe8ed7f3938d

SHA512
fc9d4e521ae2d137c44a6ae31a5a822072fa0d6c4eeb9298bb4cd4f399abb29be5e0dfcc9ae4890f892d561ba17be38d4b336e4fc9b621061f559e2a00df75bb

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2896-26-0x0000000003B00000-0x0000000003BE5000-memory.dmp

Filesize
916KB

Download
memory/2896-25-0x0000000003B00000-0x0000000003BE5000-memory.dmp

Filesize
916KB

Download
memory/2896-24-0x0000000003B00000-0x0000000003BE5000-memory.dmp

Filesize
916KB

Download
memory/2896-27-0x0000000003B00000-0x0000000003BE5000-memory.dmp

Filesize
916KB

Download
memory/2896-28-0x0000000003B00000-0x0000000003BE5000-memory.dmp

Filesize
916KB

Download
memory/2896-29-0x0000000003B00000-0x0000000003BE5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing