cryptbot | 4e0cbe9c0d9d6734b69aa74e0494f5f4d24094dafa15985e0bd1d81c9a29b55e

Analysis

max time kernel
93s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install (21).exe
Size

1.8MB
MD5

961ed865e49001eab634e7f1d49d4865
SHA1

ac28f77d1b75703518ebf6df8cdafa77da9a08aa
SHA256

00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1
SHA512

8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a
SSDEEP

24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

resource	yara_rule
behavioral28/memory/5064-24-0x0000000004B50000-0x0000000004C35000-memory.dmp	family_cryptbot
behavioral28/memory/5064-25-0x0000000004B50000-0x0000000004C35000-memory.dmp	family_cryptbot
behavioral28/memory/5064-26-0x0000000004B50000-0x0000000004C35000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	setup_x86_x64_install (21).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Pensieroso.exe.com

Executes dropped EXE 2 IoCs

pid	Process
4524	Pensieroso.exe.com
5064	Pensieroso.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pensieroso.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pensieroso.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_x86_x64_install (21).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
396	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Pensieroso.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Pensieroso.exe.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4804	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
396	PING.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5064	Pensieroso.exe.com
5064	Pensieroso.exe.com

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2144	1724	setup_x86_x64_install (21).exe	82
PID 1724 wrote to memory of 2144	1724	setup_x86_x64_install (21).exe	82
PID 1724 wrote to memory of 2144	1724	setup_x86_x64_install (21).exe	82
PID 2144 wrote to memory of 1652	2144	cmd.exe	84
PID 2144 wrote to memory of 1652	2144	cmd.exe	84
PID 2144 wrote to memory of 1652	2144	cmd.exe	84
PID 1652 wrote to memory of 2208	1652	cmd.exe	85
PID 1652 wrote to memory of 2208	1652	cmd.exe	85
PID 1652 wrote to memory of 2208	1652	cmd.exe	85
PID 1652 wrote to memory of 4524	1652	cmd.exe	86
PID 1652 wrote to memory of 4524	1652	cmd.exe	86
PID 1652 wrote to memory of 4524	1652	cmd.exe	86
PID 1652 wrote to memory of 396	1652	cmd.exe	87
PID 1652 wrote to memory of 396	1652	cmd.exe	87
PID 1652 wrote to memory of 396	1652	cmd.exe	87
PID 4524 wrote to memory of 5064	4524	Pensieroso.exe.com	88
PID 4524 wrote to memory of 5064	4524	Pensieroso.exe.com	88
PID 4524 wrote to memory of 5064	4524	Pensieroso.exe.com	88
PID 5064 wrote to memory of 1580	5064	Pensieroso.exe.com	98
PID 5064 wrote to memory of 1580	5064	Pensieroso.exe.com	98
PID 5064 wrote to memory of 1580	5064	Pensieroso.exe.com	98
PID 1580 wrote to memory of 4804	1580	cmd.exe	100
PID 1580 wrote to memory of 4804	1580	cmd.exe	100
PID 1580 wrote to memory of 4804	1580	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (21).exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (21).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
      Pensieroso.exe.com N
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4804
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.ppt

Filesize
872KB

MD5
2caf8e89e6a05bb30057c7c470fdf260

SHA1
edb048d2d92046e97b2f991e9dbec16247ee5d8c

SHA256
492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8

SHA512
4f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.ppt

Filesize
663KB

MD5
9fef53ec7afd145869f53138338e189f

SHA1
17d26e52ca0cb3de7083b5737f7b2a84a483b462

SHA256
e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09

SHA512
b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Isola.ppt

Filesize
894KB

MD5
0d1cb8e6cc1623b8a86ecabd84613e0e

SHA1
353b60c29f0fb219f6b1f49b112038912ec040c8

SHA256
05ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4

SHA512
0af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sommesso.ppt

Filesize
325B

MD5
1b4d94eb8f5923f889afcbe5caddd449

SHA1
c613c7cfe6db911b07760a7767492de829cd37e7

SHA256
812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885

SHA512
6b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\QYQMEI~1.ZIP

Filesize
45KB

MD5
1d03c010e1e6c319d4f9561247ed188b

SHA1
9f3e5066c6201bc8ed60c170e38c9fcb6d258f55

SHA256
61662a9fc54723f74ddd567d907c3cdcd599c2bd955f87d3e745f98d84931b6e

SHA512
7af9d74b58dfcca331ec0f4f12b38de8965f00b10df06fdb84b5e6cc76e2de35f9062f363f2a13525619a62ec66bb633e6a9f817fc464bf50ab26b469467a7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\VSFMUW~1.ZIP

Filesize
45KB

MD5
8a94e6d10bfa2b9aefa981f820687ff2

SHA1
ecbfbd77b46ea8c2be100a546463674f78e58311

SHA256
d67306ea57fd2d05771f115b52c41dcd16cd135e6463a59989ca482aad3ee059

SHA512
fab51399e36d7f0049e1155b511b788b909038a2d5791427d6d736bd57247a6d5aea302e0a7a0f225a972d71630368d848d021f837e96de083ca3395143d3f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\_Files\_INFOR~1.TXT

Filesize
7KB

MD5
35f21eac6b541bc2591915ed3c983abf

SHA1
96d3eef4ccbab1336b0eb97038209a428c57a777

SHA256
7f78213936daa5712cd7c1e3f051c5e13605ef2609e11d1eead5e8bfdeee9ba3

SHA512
0ab56b275e41bd396520703609c022042be227b87b3df708bebffa96313b6823ffb653b324241ca6a844d9c6b6d9cab8129807c4eb8c6de8e48a399cc0e454a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\_Files\_Information.txt

Filesize
2KB

MD5
3e0a9479f5c6fba3e5b2231a04d340a5

SHA1
db378d27e0c5561797980e502b24287016d09c3e

SHA256
36fe00824e88ff8ebfd35acc6a50476322cd6d0178b30faca16d733ebed4e76b

SHA512
dcadfd7769718e80b1c6d47137c8f333188d54bc7f40a2bc6c5e4a5ab672881575d3b1cf0062de82035fa97d08c5149c4a5c2814a71491de1d4bfaf67071c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\_Files\_Information.txt

Filesize
3KB

MD5
6499f36d065fec5546e989be6644fe59

SHA1
8c73649136dcc02d4943ee317d4e62ce9ba75892

SHA256
ee79884d9a98607e15faedc7be04c9313597f387647feeeade22ac80e6ba2a13

SHA512
a64bac27c5660b93094726ff53d2a067e5331b3d44afee3a61681d5de3fe090c6be48938594982047f26848cb551d003ae6da425c5b0025ed498584a97cac663

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\_Files\_Information.txt

Filesize
4KB

MD5
62a41e876e30b4d2adf7e9426920851d

SHA1
c39f5a9f750ce1eb2d7ede9199e499f61c0ea337

SHA256
b9e5c8e9caa436cd68d06e52b93cb3189e475a15ea4ba622c212beae7b07d8e5

SHA512
a2c38ca5c7bc2f0ec9ede264bffeaeac087dd3c4783e2beab6ca015a9825571beab42c3d510a7e1712fba86e260148b71f07983aee5fbf1588891225aaab991b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\files_\screenshot.jpg

Filesize
50KB

MD5
16db4b369e9df460465b907d59632c57

SHA1
758a4321283d93e2d74962168921f1b265a5eac5

SHA256
ba2a46d86f36f4cc523eac3a47f91eaad7160693050c87e234f072f8c748c44f

SHA512
a96b17e399796ecb85d4f07a3bfa7d557524caff5abfb698ed7921e735b408a2a86722034bf877f81543ebe7178913b694bf7a479d8934d6046063892b7003b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\files_\system_info.txt

Filesize
706B

MD5
2b28b8504570241cc216c440a92316cc

SHA1
4f64304c34db14d9c5abd2e128793b4b5c2fd7b7

SHA256
8e201219594570bfdc587727a1ed260da90efcf771ee5f620d0a6338ce5667cb

SHA512
a8fcfd762d39a9f579f566790cbea31fedcbf324c29aae2a92bf48a12a778755c1c9a39d4a9a99daef1bbf80d8b327900fa08188b58cacedfc5b8cdcfdfd1803

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoeZwUtccg\files_\system_info.txt

Filesize
7KB

MD5
9f257a5f7bfc801bb7843a5606d6a4bd

SHA1
26aa6fb7e2567c71d127d3dfc266a20907386ec7

SHA256
99128cc5951a2c13440fb8438f2340e675d6599db6b29fe1f515bf9c8dd87ac0

SHA512
34c838bd73a455273086b830454af7e9885701ef7c504877962a254695cf7023464e83cf06094851929f3038fcce3bd6be72dc1b9fdcb5223dbfeaf358537250

Download Submit
memory/5064-21-0x0000000004B50000-0x0000000004C35000-memory.dmp

Filesize
916KB

Download
memory/5064-26-0x0000000004B50000-0x0000000004C35000-memory.dmp

Filesize
916KB

Download
memory/5064-25-0x0000000004B50000-0x0000000004C35000-memory.dmp

Filesize
916KB

Download
memory/5064-24-0x0000000004B50000-0x0000000004C35000-memory.dmp

Filesize
916KB

Download
memory/5064-23-0x0000000004B50000-0x0000000004C35000-memory.dmp

Filesize
916KB

Download
memory/5064-22-0x0000000004B50000-0x0000000004C35000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads