cryptbot | 5a9e3280eb6db0cfbd5a5fd70a4c58e35e397c29f7cda8306c681151030f4352

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
Size

4.6MB
MD5

d75d7dce371da77f30f35288b8ff37f3
SHA1

03a63127e19682acb329a4abfffb031311854c00
SHA256

576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510
SHA512

4fe86c0d0d2022f1986c786e882127dda583cfb7be9df7313db9b982bd8aad1f1b8919d0e0c883c1793768e2c7c6f3a9aeb138ace7264c887f69870ce14970fb
SSDEEP

98304:IGEqCZgN7219sQrtQwPWD9pEof9RvcScw2cepvi6yvSVj9QYO:IGEqC4K1uQxQwu9Rvc1li6ny

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

verf04.info

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	util.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Install.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	util.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	util.exe

Executes dropped EXE 3 IoCs

pid	Process
3168	Install.exe
1968	Notepad2.exe
2484	util.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	Install.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	util.exe

Loads dropped DLL 1 IoCs

pid	Process
212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	iplogger.org
18	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3168	Install.exe
2484	util.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
File created	C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
File created	C:\Program Files (x86)\Glary\Utilities\Settings\util.exe	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Notepad2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	util.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Install.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2484	util.exe
2484	util.exe
3168	Install.exe
3168	Install.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe
3168	Install.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3168	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	82
PID 212 wrote to memory of 3168	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	82
PID 212 wrote to memory of 3168	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	82
PID 212 wrote to memory of 1968	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	83
PID 212 wrote to memory of 1968	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	83
PID 212 wrote to memory of 1968	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	83
PID 212 wrote to memory of 2484	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	84
PID 212 wrote to memory of 2484	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	84
PID 212 wrote to memory of 2484	212	576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe	84

C:\Users\Admin\AppData\Local\Temp\576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
"C:\Users\Admin\AppData\Local\Temp\576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe
  "C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3168
- C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe
  "C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Program Files (x86)\Glary\Utilities\Settings\util.exe
  "C:\Program Files (x86)\Glary\Utilities\Settings\util.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe

Filesize
2.1MB

MD5
f59df95a5f1760ed6d213f5ad70c0510

SHA1
697dd19671251ed102d92cb730e7854a7611a53f

SHA256
2ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5

SHA512
f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194

Download Submit
C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe

Filesize
693KB

MD5
b60d390ba42c0109ee38de2e0ca56e1a

SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833

SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477

SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24

Download Submit
C:\Program Files (x86)\Glary\Utilities\Settings\util.exe

Filesize
2.3MB

MD5
1a399301e1eb1821088776166420c80e

SHA1
317bfecd99d6b0d7415173b55781deb4afc428b8

SHA256
69344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67

SHA512
679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe

Download Submit
C:\ProgramData\vfp7mTTBHnPiAbU0\172773668.txt

Filesize
150B

MD5
cadc7176449b1ef7d75c247c7d248b41

SHA1
3262d7ebfe5735d499e092504c41d39fb51ade31

SHA256
edd1379685f9c0c83b7f870591d940432648d231a666d934dd22ea1a6c690f36

SHA512
67321a6d375c18a26a433051980bd868c17cef922473b43e219ec3bb94e22b05c622d3f272150252b4cb8a5d1470b5302a200d08c4d675eaec5581421a9c72cf

Download Submit
C:\ProgramData\vfp7mTTBHnPiAbU0\Files\Browsers\_FilePasswords.txt

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\vfp7mTTBHnPiAbU0\Files\_Info.txt

Filesize
4KB

MD5
92784125351110a467b4168a7983ed97

SHA1
3c26e3b7caddf9f7bfb91f0671482812a62986d6

SHA256
7b30869dd19e47b04b3a9f68ac1536b29881b82421a1794f1c16a99c8004424b

SHA512
ff202a50cb5a372a9cb9bb3da9ed609c57d55a835e36802e6acd9d287a2134a5f9294d2da417cc329831abd3e511c73ea015077a656fef67d88523a41085b44d

Download Submit
C:\ProgramData\vfp7mTTBHnPiAbU0\uF1au7YaY8Gp0S.zip

Filesize
582KB

MD5
5c13acaa195d3de78819824f0efacc29

SHA1
68ac80d29c42c5220b504b36c57981e002baa885

SHA256
d668bae6a3bd6a707f8b8fce8c9774d242a6069f6d5386062e5351d42dd737cb

SHA512
2c758081ea4c6671a7afb16d7bc37b4d49b1152c81a91a853f6724c35c0e2ce985087fd75067ca52bbe8e4e7db79484374f7385e27cc717068f477f9040ecb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa9FDB.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/2484-327-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-323-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-17-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-282-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-304-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-284-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-334-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-330-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-288-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-319-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-292-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-296-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-315-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-312-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-299-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/2484-308-0x0000000000400000-0x0000000000973000-memory.dmp

Filesize
5.4MB

Download
memory/3168-281-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-307-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-303-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-298-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-311-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-314-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-295-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-318-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-291-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-322-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-287-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-326-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-283-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-18-0x0000000077284000-0x0000000077286000-memory.dmp

Filesize
8KB

Download
memory/3168-329-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-15-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download
memory/3168-333-0x0000000000800000-0x0000000000D2B000-memory.dmp

Filesize
5.2MB

Download