cryptbot | 7f186c311fc66ceb1f59beba9e6f9bb07a00fba7994d85c760848753adf1129d

General

Target

lionda.exe
Size

7.2MB
MD5

9a66454e4c0feb4cd1bebc8871aa850e
SHA1

cc7975b8807f3d72067dc8452a3098a0f6097f25
SHA256

7f186c311fc66ceb1f59beba9e6f9bb07a00fba7994d85c760848753adf1129d
SHA512

b90c7b5e77d0a465fa6872904d9ed752adfeae1671329c4414c61a5182643d9b9cf2add6c9f3d014ab24583eef441c7ff3c7acd6419855b9eacc85b3d7b0c932
SSDEEP

98304:0kN4q49j3XvABCrK0/cjTSsbLwnzrROD18uB0H8oy5OW:67zyCpcTSTROBHB0c/A

Score

10^/10

cryptbot defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

http://home.fourteenff14pn.top/BVpYRBXNVJewGOxay73803

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	start-this-467.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
60	1184	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	lionda.exe

Executes dropped EXE 2 IoCs

pid	Process
1288	LummaC2.exe
936	start-this-467.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0008000000023dee-14.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	936	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lionda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start-this-467.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
452	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
936	start-this-467.exe
936	start-this-467.exe
936	start-this-467.exe
936	start-this-467.exe
936	start-this-467.exe
936	start-this-467.exe
936	start-this-467.exe
936	start-this-467.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1288	1808	lionda.exe	89
PID 1808 wrote to memory of 1288	1808	lionda.exe	89
PID 1808 wrote to memory of 1288	1808	lionda.exe	89
PID 1808 wrote to memory of 936	1808	lionda.exe	90
PID 1808 wrote to memory of 936	1808	lionda.exe	90
PID 1808 wrote to memory of 936	1808	lionda.exe	90

C:\Users\Admin\AppData\Local\Temp\lionda.exe
"C:\Users\Admin\AppData\Local\Temp\lionda.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\LummaC2.exe
  "C:\Users\Admin\AppData\Local\Temp\LummaC2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\start-this-467.exe
  "C:\Users\Admin\AppData\Local\Temp\start-this-467.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 916
    3⤵
    - Program crash
    PID:2828

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUMyNTE5QTgtQjVGQi00NjE0LTlBRUYtMURBMERGMDBFQkMyfSIgdXNlcmlkPSJ7MEFDNjA4MTgtNDlENy00ODlCLUEzRkEtNkUwQTgxM0E2RUQxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTA2M0ExODItNTFGRS00ODRDLUJCMjUtMjZGNjE4NDY3MEQwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDgyOTQzMTA3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 936 -ip 936
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LummaC2.exe

Filesize
320KB

MD5
8da89b163d506be4a73b987517a1b9e4

SHA1
2e110cf5160c511fa3d5843e890b8e9316754f34

SHA256
ea56e7f640355598346fa0b356699298314e25d809f3aa7cfce1804a3d1964e5

SHA512
a85969bcda0b31caf0cec79f45bec068a498c7ac190fe17d7b7c03f88f5c91f5f6221fcc4fcb46604695d5b95e9047dfc1d2cf31207540c23e929fcca08d14f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\start-this-467.exe

Filesize
6.9MB

MD5
973951ef7134a54ee9031e4f9c1c04d3

SHA1
def129184ad6ad341f9cf08582db3ee664c6a2e0

SHA256
112ba934300da8274f790013312034d142d090cc663d1c62073deba180b1e922

SHA512
190d1fb6926b0a6410ce70fc20422d5487407d2137dd50ecec0585d8f062134255ca110377db4abdee0f1e5038f61dddca162628466782642d047554eebb21a4

Download Submit
memory/936-19-0x0000000000710000-0x0000000000E04000-memory.dmp

Filesize
7.0MB

Download
memory/936-23-0x0000000000710000-0x0000000000E04000-memory.dmp

Filesize
7.0MB

Download
memory/936-26-0x0000000000710000-0x0000000000E04000-memory.dmp

Filesize
7.0MB

Download
memory/1808-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/1808-1-0x00000000003F0000-0x0000000000B34000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads