cryptbot | f25fab3f64bad2cd989035dd854b761fe06b97e76291bd180991d21d91ea5c22

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

whites1213.exe
Size

7.9MB
MD5

8398fc4aa3a5a5ab6ae7ed394b449d0a
SHA1

820ce4bb8eb51e31effa41e6829e84089b728760
SHA256

f25fab3f64bad2cd989035dd854b761fe06b97e76291bd180991d21d91ea5c22
SHA512

a44ff33aa8b477ee8a2bae6a3ac93da85df9a5fdf906baaa54b2513396df94b304bc626159e4d95561097bd3d112826e4254069320fc95f3fc167d9350234c61
SSDEEP

98304:mHZ28VaNl6GdtOjCiEj5P6pziE5Psj1ZC/bIMqiiTpYXHQtG5nuPAUV:m6ThtSpeqso4iKG5n

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

http://home.twelve12vs.top/AvWHJxAVCxPehbRictmJ173

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	Set-up.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	whites1213.exe

Executes dropped EXE 2 IoCs

pid	Process
3624	LummaC2.exe
3120	Set-up.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023cb4-14.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whites1213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3120	Set-up.exe
3120	Set-up.exe
3120	Set-up.exe
3120	Set-up.exe
3120	Set-up.exe
3120	Set-up.exe
3120	Set-up.exe
3120	Set-up.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3624	2004	whites1213.exe	83
PID 2004 wrote to memory of 3624	2004	whites1213.exe	83
PID 2004 wrote to memory of 3624	2004	whites1213.exe	83
PID 2004 wrote to memory of 3120	2004	whites1213.exe	84
PID 2004 wrote to memory of 3120	2004	whites1213.exe	84
PID 2004 wrote to memory of 3120	2004	whites1213.exe	84

C:\Users\Admin\AppData\Local\Temp\whites1213.exe
"C:\Users\Admin\AppData\Local\Temp\whites1213.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\LummaC2.exe
  "C:\Users\Admin\AppData\Local\Temp\LummaC2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3624
- C:\Users\Admin\AppData\Local\Temp\Set-up.exe
  "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LummaC2.exe

Filesize
320KB

MD5
8da89b163d506be4a73b987517a1b9e4

SHA1
2e110cf5160c511fa3d5843e890b8e9316754f34

SHA256
ea56e7f640355598346fa0b356699298314e25d809f3aa7cfce1804a3d1964e5

SHA512
a85969bcda0b31caf0cec79f45bec068a498c7ac190fe17d7b7c03f88f5c91f5f6221fcc4fcb46604695d5b95e9047dfc1d2cf31207540c23e929fcca08d14f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Set-up.exe

Filesize
7.6MB

MD5
53d48938c0ec850eb316cf433ecfc045

SHA1
4415a85e1376c1a8f6661a2cc9d23ec06557d176

SHA256
f63f7d8db3ae8ed7448672263cf9333e8b867bdba7a30d73cf3966cfd8a8a909

SHA512
21a69b5969f95e4dfd404e6c415ec502282f4e54aa73c0752a29af52bdbf603837ddab640bca47c317f391f91a5f60818d5f06662c600f5e01e43e2473408c99

Download Submit
memory/2004-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/2004-1-0x00000000000A0000-0x0000000000886000-memory.dmp

Filesize
7.9MB

Download
memory/3120-19-0x0000000000D20000-0x00000000014B5000-memory.dmp

Filesize
7.6MB

Download
memory/3120-28-0x0000000000D20000-0x00000000014B5000-memory.dmp

Filesize
7.6MB

Download