cryptbot | bca6214f39e91508f64c1418cd353b7da0245c64f97e40dee305fe6b7af7c577

Analysis

max time kernel
74s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

1.7MB
MD5

2823d9eef3511031b57d8bec7fb743a1
SHA1

d2d4957eefe95ac4d9646104004b9fac44396fcd
SHA256

e502363c54e70b24779cae4ca1b82a66178ec0f2e7f9825c55090f0b13352431
SHA512

e356364fb8ae46e2a8ec924d88b039d0450ffb60190d02b3687e58e63dbe73ebbe14834b7b7493c059edf24910664c4306dddee71263cb96601ab9cb8e26ad01
SSDEEP

49152:P5+hFBYqALFHGk3r2Hcmojw+hlI210cocdi6lf5Lc:P5aFmHtJdhb1nogRfLc

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

resource	yara_rule
behavioral1/memory/2152-26-0x0000000003BE0000-0x0000000003CCA000-memory.dmp	family_cryptbot
behavioral1/memory/2152-27-0x0000000003BE0000-0x0000000003CCA000-memory.dmp	family_cryptbot
behavioral1/memory/2152-25-0x0000000003BE0000-0x0000000003CCA000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Executes dropped EXE 2 IoCs

pid	Process
2952	Strette.com
2152	Strette.com

Loads dropped DLL 1 IoCs

pid	Process
2004	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Strette.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Strette.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2816	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Strette.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Strette.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2816	PING.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2420	2116	Setup.exe	30
PID 2116 wrote to memory of 2420	2116	Setup.exe	30
PID 2116 wrote to memory of 2420	2116	Setup.exe	30
PID 2116 wrote to memory of 2420	2116	Setup.exe	30
PID 2116 wrote to memory of 2936	2116	Setup.exe	32
PID 2116 wrote to memory of 2936	2116	Setup.exe	32
PID 2116 wrote to memory of 2936	2116	Setup.exe	32
PID 2116 wrote to memory of 2936	2116	Setup.exe	32
PID 2936 wrote to memory of 2004	2936	cmd.exe	34
PID 2936 wrote to memory of 2004	2936	cmd.exe	34
PID 2936 wrote to memory of 2004	2936	cmd.exe	34
PID 2936 wrote to memory of 2004	2936	cmd.exe	34
PID 2004 wrote to memory of 2964	2004	cmd.exe	35
PID 2004 wrote to memory of 2964	2004	cmd.exe	35
PID 2004 wrote to memory of 2964	2004	cmd.exe	35
PID 2004 wrote to memory of 2964	2004	cmd.exe	35
PID 2004 wrote to memory of 2952	2004	cmd.exe	36
PID 2004 wrote to memory of 2952	2004	cmd.exe	36
PID 2004 wrote to memory of 2952	2004	cmd.exe	36
PID 2004 wrote to memory of 2952	2004	cmd.exe	36
PID 2004 wrote to memory of 2816	2004	cmd.exe	37
PID 2004 wrote to memory of 2816	2004	cmd.exe	37
PID 2004 wrote to memory of 2816	2004	cmd.exe	37
PID 2004 wrote to memory of 2816	2004	cmd.exe	37
PID 2952 wrote to memory of 2152	2952	Strette.com	38
PID 2952 wrote to memory of 2152	2952	Strette.com	38
PID 2952 wrote to memory of 2152	2952	Strette.com	38
PID 2952 wrote to memory of 2152	2952	Strette.com	38

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Lpokv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Due.vsd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^mJNrkruBwRBwxoZOfFUxVrIvSDNRVDyaDvqTrlLtvjNSdoLxNQxuZDfvqdkHdfFnLpbXiuLtTQYJdQuJRarypZaZiETMZr$" Mentre.vssm
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964
  - - C:\Users\Admin\AppData\Roaming\UPCkUmDtFIOlZrLj\Strette.com
      Strette.com Ama.xlsx
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Users\Admin\AppData\Roaming\UPCkUmDtFIOlZrLj\Strette.com
        
        C:\Users\Admin\AppData\Roaming\UPCkUmDtFIOlZrLj\Strette.com Ama.xlsx
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2152
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\UPCkUmDtFIOlZrLj\Ama.xlsx

Filesize
640KB

MD5
7901a872e29d51a121409fa6681aa9e9

SHA1
90d538eb55865937e0c89402dedfb223e1e7bfb4

SHA256
aff1908418de9bcb4420bffc54efa0fa7e50cf1b3571774afcc9f97be54db2ae

SHA512
4d8bae095096becfdb84b79d3a0fe35cd3eba7e9932410ae008aa5f42acaec2242030d8ef18d0f7eff4c904eda2516a3b1cbd1791e425b26c4580615a9b8353d

Download Submit
C:\Users\Admin\AppData\Roaming\UPCkUmDtFIOlZrLj\Due.vsd

Filesize
111KB

MD5
c333f921aa439fb82556376cd16898e0

SHA1
163e72b76212268d365795170e52cdc180edafc0

SHA256
0cc0542c125836603a82e309982ce64471fd05dc4f49341b8e18e3cd3ce24fc3

SHA512
1d6e1555a173d41650a0780c589f8ef5ae5802220d1d80ab644c09e59519143c88576b9fab325230806db2ffe9f323b1a876baf8eae6f016e499901f79d9c92e

Download Submit
C:\Users\Admin\AppData\Roaming\UPCkUmDtFIOlZrLj\Gabbiani.aifc

Filesize
917KB

MD5
528edff75caea16873e9d420c000e01e

SHA1
0195e9023d899198ed7c049932e393466bfeb786

SHA256
cb6b9453e3ceca60cfcfc8600ad91e8f656f2598abdb05119ea54efb52b761a9

SHA512
34238fb9dd40f88ed17bfe1cc90ef8dab7ef4a25b278b6fbadd5af5494de66c8b157f16834f2c50aa907935ddb002edb47739410e9610081ee8452485cb4a440

Download Submit
C:\Users\Admin\AppData\Roaming\UPCkUmDtFIOlZrLj\Mentre.vssm

Filesize
921KB

MD5
92e8bdc5e68531d278093d91c9c5c54d

SHA1
cf5161aa9a5919b656f6b2704a75aba7be820b50

SHA256
92f9ca0c4e93ea3999fe17389eac3fb05aa3a37ad34c13aa415056acc6557eb4

SHA512
fa7cb60ab6bee8f67d669656dfa21262a40882d64d72a302d8120ef25ae480cd298355dd09b8857c85665f1bb5006a9f19a6503467cc45910b6acd272e50d0b4

Download Submit
\Users\Admin\AppData\Roaming\UPCkUmDtFIOlZrLj\Strette.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/2152-22-0x0000000003BE0000-0x0000000003CCA000-memory.dmp

Filesize
936KB

Download
memory/2152-23-0x0000000003BE0000-0x0000000003CCA000-memory.dmp

Filesize
936KB

Download
memory/2152-24-0x0000000003BE0000-0x0000000003CCA000-memory.dmp

Filesize
936KB

Download
memory/2152-26-0x0000000003BE0000-0x0000000003CCA000-memory.dmp

Filesize
936KB

Download
memory/2152-27-0x0000000003BE0000-0x0000000003CCA000-memory.dmp

Filesize
936KB

Download
memory/2152-25-0x0000000003BE0000-0x0000000003CCA000-memory.dmp

Filesize
936KB

Download