cryptbot

General

Target

JaffaCakes118_26a7c7a28f1ea65bf7b51351e2c6eb67
Size

2.7MB
Sample

250106-qxc8fsxpgx
MD5

26a7c7a28f1ea65bf7b51351e2c6eb67
SHA1

77f410701c760731a468ae0ba3e9175aaed76299
SHA256

084f757c11631c23d9fc366f99f622496923703ed552b53744e98de635ac9547
SHA512

649ca3f6f7f4a501abac5b42e4f166737ef3cb8373129cda246d591aa93c7590ae715acdf0b8e523a87c3e30052d7f6941aac7ad92c787e4dad808ce07045cf5
SSDEEP

49152:+IDeFTdTS1H2BKeMN7XxztRZSJTe5XlYMjrDXg0s3p3cA/i+IXOXpVBip5yUCDR9:py+1u+ztHp+yrDw0u+ArI+ti3yUCtyPk

Score

10^/10

Malware Config

Extracted

Family

cryptbot

C2

veogka41.top

moruhx04.top

Attributes

payload_url
http://tynauk05.top/download.php?file=lv.exe

Targets

- Target
  
  JaffaCakes118_26a7c7a28f1ea65bf7b51351e2c6eb67
- Size
  
  2.7MB
- MD5
  
  26a7c7a28f1ea65bf7b51351e2c6eb67
- SHA1
  
  77f410701c760731a468ae0ba3e9175aaed76299
- SHA256
  
  084f757c11631c23d9fc366f99f622496923703ed552b53744e98de635ac9547
- SHA512
  
  649ca3f6f7f4a501abac5b42e4f166737ef3cb8373129cda246d591aa93c7590ae715acdf0b8e523a87c3e30052d7f6941aac7ad92c787e4dad808ce07045cf5
- SSDEEP
  
  49152:+IDeFTdTS1H2BKeMN7XxztRZSJTe5XlYMjrDXg0s3p3cA/i+IXOXpVBip5yUCDR9:py+1u+ztHp+yrDw0u+ArI+ti3yUCtyPk
Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Cryptbot family
  cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2