cryptbot | f9d1611e9c76704829a006ca1a15c810063c0c68f2c9466cfafe583de36c4a0e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

32_64_ver_1_bit.exe
Size

1.8MB
MD5

cf79a81627e7b71ca9bdd33ba812b7a0
SHA1

26c35564bde9adcc2c56d062fce809ee2b4ee82d
SHA256

607d4323ec499f3d2d39f10ce3e539442c2c8959be41afe20d6a2a68b5406f8b
SHA512

79b1a6429432e4b4860f3226cf892c14a77cc8c9b55b8d4990c43af8a4d9f8ef09dfa6a43e2f05671ea4dc20625ccd1a1d3507c227a49f35ef74df892fba9342
SSDEEP

49152:P5+hFYPN3BwAALqBZ3mpkPGx6pMYLI1i+3gj:P5aFYtBHb5JPG0pMCMC

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

resource	yara_rule
behavioral1/memory/2796-26-0x0000000003970000-0x0000000003A53000-memory.dmp	family_cryptbot
behavioral1/memory/2796-27-0x0000000003970000-0x0000000003A53000-memory.dmp	family_cryptbot
behavioral1/memory/2796-28-0x0000000003970000-0x0000000003A53000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Executes dropped EXE 2 IoCs

pid	Process
2556	Per.com
2796	Per.com

Loads dropped DLL 2 IoCs

pid	Process
2508	cmd.exe
2556	Per.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Per.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Per.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32_64_ver_1_bit.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2232	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Per.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Per.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2232	PING.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2372	2676	32_64_ver_1_bit.exe	30
PID 2676 wrote to memory of 2372	2676	32_64_ver_1_bit.exe	30
PID 2676 wrote to memory of 2372	2676	32_64_ver_1_bit.exe	30
PID 2676 wrote to memory of 2372	2676	32_64_ver_1_bit.exe	30
PID 2676 wrote to memory of 2228	2676	32_64_ver_1_bit.exe	32
PID 2676 wrote to memory of 2228	2676	32_64_ver_1_bit.exe	32
PID 2676 wrote to memory of 2228	2676	32_64_ver_1_bit.exe	32
PID 2676 wrote to memory of 2228	2676	32_64_ver_1_bit.exe	32
PID 2228 wrote to memory of 2508	2228	cmd.exe	34
PID 2228 wrote to memory of 2508	2228	cmd.exe	34
PID 2228 wrote to memory of 2508	2228	cmd.exe	34
PID 2228 wrote to memory of 2508	2228	cmd.exe	34
PID 2508 wrote to memory of 2512	2508	cmd.exe	35
PID 2508 wrote to memory of 2512	2508	cmd.exe	35
PID 2508 wrote to memory of 2512	2508	cmd.exe	35
PID 2508 wrote to memory of 2512	2508	cmd.exe	35
PID 2508 wrote to memory of 2556	2508	cmd.exe	36
PID 2508 wrote to memory of 2556	2508	cmd.exe	36
PID 2508 wrote to memory of 2556	2508	cmd.exe	36
PID 2508 wrote to memory of 2556	2508	cmd.exe	36
PID 2508 wrote to memory of 2232	2508	cmd.exe	37
PID 2508 wrote to memory of 2232	2508	cmd.exe	37
PID 2508 wrote to memory of 2232	2508	cmd.exe	37
PID 2508 wrote to memory of 2232	2508	cmd.exe	37
PID 2556 wrote to memory of 2796	2556	Per.com	38
PID 2556 wrote to memory of 2796	2556	Per.com	38
PID 2556 wrote to memory of 2796	2556	Per.com	38
PID 2556 wrote to memory of 2796	2556	Per.com	38

C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.exe
"C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo TvlxhcPW
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Scala.bin
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^UGUAzyVeUFVxwuQQxYTPPZLPHuxnJTHKMwKfMXhbVWVfsonCYVpiYXeUUtSjKbzqXlIZcAtvLcUTrvbmISmOKmLPZPcIywNbDVsiAnubQMvDepRbGzESXEdbnTqGyvdKIvdoydYpLwX$" Infine.xltm
      4⤵
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
      Per.com Svelto.accdr
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
        
        C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com Svelto.accdr
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2796
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Infine.xltm

Filesize
921KB

MD5
e92c98933cb8a69f4270762f59f72f8d

SHA1
bbd1cd46209a4c42c5de13ac32c46ec2818b4eb0

SHA256
ca6f3d6fdc14ea694a2a010c8f2596cb9b99251d5e4ccd85386be58d39309bba

SHA512
1893cf45da05f56ed2f627d61189e4bd9fc179512b9d6fe315c3967b083447fb46775846c1cfe8d38bff4a2326f2323f7b757a2389dd04162d7ebf1181ba1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Saluta.potm

Filesize
888KB

MD5
94957cd5084b8a109eb5bc6b9889dc70

SHA1
bbaae28333a3871ce9aed0d0463cdd738624a9cd

SHA256
9855686bf0c7ad2d5cb8828ff2a4feae9a6d4bc6c21be391e51b96ab942aa08d

SHA512
13344363c786e454046923285eb889399afd26ad1e74f8a762062fc8c400f7f05a04e1bc593e08850d9226bca9ea67453065e9f12ae83acfd4cd6dc6a8126d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Scala.bin

Filesize
105KB

MD5
45c3b50fd2d0a49dbc60cd84e7625234

SHA1
3e95f809cd6cfa8c1dfe1ed8b3a61038d579e04c

SHA256
e9d23eea77b153d824699bcd00dde8ad297e97bb17b8ea4eccc23c4d5717f804

SHA512
87acd56e8a981ebfe49abe0eb4e4b9ed5768cb7fea080b65428e5dca9cbe5faaffad87aa5a24c74fd30a28be7ebf30f7f098c34e1ba99aa475269d9f88baf195

Download Submit
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Svelto.accdr

Filesize
615KB

MD5
7e6ab0703aa2bc01af332f11553bd583

SHA1
b5bf5e9f2467b4fd2ec4511a6f7856a3a0565182

SHA256
e1ab0437119b2b4e51f7cb068ee3a15ccc81b8aa00ea39f9e24b420859fab05a

SHA512
6313f5daf8559cad6734cd80d9be17d8c99608ac8e9086b51883f31b1d0d883c16c96cd120ba8c39afbe55fc7136d042b6452607114c8d6e4587020bddaa4c8f

Download Submit
\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/2796-23-0x0000000003970000-0x0000000003A53000-memory.dmp

Filesize
908KB

Download
memory/2796-24-0x0000000003970000-0x0000000003A53000-memory.dmp

Filesize
908KB

Download
memory/2796-25-0x0000000003970000-0x0000000003A53000-memory.dmp

Filesize
908KB

Download
memory/2796-26-0x0000000003970000-0x0000000003A53000-memory.dmp

Filesize
908KB

Download
memory/2796-27-0x0000000003970000-0x0000000003A53000-memory.dmp

Filesize
908KB

Download
memory/2796-28-0x0000000003970000-0x0000000003A53000-memory.dmp

Filesize
908KB

Download