cryptbot | liddad[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

liddad.exe
Size

7.5MB
MD5

66178e76829f947721ee5f995434d37f
SHA1

d4ff72a893eb3a70a8d3274289f014d338ebb249
SHA256

4aa772539c101eeea6cd0fececae92603738c59afb7406d7b81b370313918f93
SHA512

0c39cde1db094b22cca8b3087dc5629c89d4f0ee3d9fea89a9a6e57a4b6c1080c552830f6d53bf347d3b4e81de047384365f8065561ef35d70a2d85047afd5c2
SSDEEP

49152:vB6DGAe6ei93Aq7SrSLAFiyRMrqcHy/e8TRDh2lGcsl6BS/W7hlRSfYKRbpxPyzt:vB7m939hAMuM2cS/h1F2xDSqbKJyz82

Score

10^/10

spyware stealer cryptbot

Malware Config

Extracted

Family

cryptbot

http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18

Signatures

Cryptbot family
cryptbot

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Files

liddad.exe
.exe windows:4 windows x86 arch:x86

51b39aff649af7abc30a06f2362db069

Code Sign

33:00:9f:7b:73:4d:b0:48:04:11:eb:0b:ba:00:00:00:9f:7b:73
Certificate

Issuer

CN=Microsoft Azure RSA TLS Issuing CA 04,O=Microsoft Corporation,C=US

Not Before

26/08/2024, 16:01

Not After

21/08/2025, 16:01

Subject

CN=www.microsoft.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US

e9:d1:7d:a5:95:45:54:5d:3d:93:6d:cd:8e:0b:2b:b2:80:ea:b5:a7:62:9b:9f:90:04:00:4b:e4:16:56:f7:a3
Signer

Actual PE Digest

e9:d1:7d:a5:95:45:54:5d:3d:93:6d:cd:8e:0b:2b:b2:80:ea:b5:a7:62:9b:9f:90:04:00:4b:e4:16:56:f7:a3

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CryptAcquireContextA
CryptAcquireContextW
CryptCreateHash
CryptDecrypt
CryptDestroyHash
CryptDestroyKey
CryptEnumProvidersW
CryptExportKey
CryptGenRandom
CryptGetHashParam
CryptGetProvParam
CryptGetUserKey
CryptHashData
CryptReleaseContext
CryptSetHashParam
CryptSignHashW
DeregisterEventSource
RegCloseKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegisterEventSourceW
ReportEventW
SystemFunction036

bcrypt

BCryptGenRandom

crypt32

CertCloseStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertOpenStore
CertOpenSystemStoreA
CertOpenSystemStoreW

gdi32

BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDeviceCaps
SelectObject

gdiplus

GdipGetImageEncoders
GdipGetImageEncodersSize
GdiplusShutdown
GdiplusStartup

iphlpapi

ConvertInterfaceIndexToLuid
ConvertInterfaceLuidToNameA
FreeMibTable
GetAdaptersAddresses
GetBestRoute2
GetUnicastIpAddressTable
if_indextoname
if_nametoindex

kernel32

AcquireSRWLockExclusive
CancelIo
CloseHandle
CompareFileTime
ConvertFiberToThread
ConvertThreadToFiberEx
CreateEventA
CreateFiberEx
CreateFileA
CreateFileMappingA
CreateIoCompletionPort
CreateMutexA
CreateSemaphoreW
CreateThread
CreateToolhelp32Snapshot
DeleteCriticalSection
DeleteFiber
EnterCriticalSection
ExpandEnvironmentStringsA
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileW
FormatMessageW
FreeLibrary
GetACP
GetConsoleMode
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetEnvironmentVariableA
GetEnvironmentVariableW
GetFileAttributesA
GetFileType
GetLastError
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetQueuedCompletionStatusEx
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount64
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsBadReadPtr
IsDBCSLeadByteEx
K32EnumProcesses
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
MapViewOfFile
MoveFileExA
MultiByteToWideChar
OpenProcess
PeekNamedPipe
PostQueuedCompletionStatus
Process32First
Process32Next
QueryFullProcessImageNameA
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleA
ReadConsoleW
ReadFile
RegisterWaitForSingleObject
ReleaseSRWLockExclusive
ReleaseSemaphore
SetConsoleMode
SetFileCompletionNotificationModes
SetHandleInformation
SetLastError
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableCS
SleepEx
SwitchToFiber
SystemTimeToFileTime
TlsAlloc
TlsGetValue
TlsSetValue
UnmapViewOfFile
UnregisterWait
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualFree
VirtualLock
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitNamedPipeA
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile
lstrlenA

msvcrt

__mb_cur_max
__setusermatherr
_findclose
_fullpath
_lock
_strnicmp
_unlock
getc
islower
isxdigit
localeconv
ungetc
vfprintf
_findnext
_findfirst
_open

ole32

CreateStreamOnHGlobal

shell32

SHGetKnownFolderPath

api-ms-win-crt-convert-l1-1-0

atoi
mbstowcs
strtol
strtoll
strtoul
wcstombs

api-ms-win-crt-environment-l1-1-0

__p__environ
__p__wenviron
getenv

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_stat64
_unlink

api-ms-win-crt-heap-l1-1-0

_set_new_mode
calloc
free
malloc
realloc

api-ms-win-crt-locale-l1-1-0

setlocale

api-ms-win-crt-math-l1-1-0

_fdopen

api-ms-win-crt-private-l1-1-0

memchr
memcmp
memcpy
memmove
strchr
strrchr
strstr
wcsstr

api-ms-win-crt-runtime-l1-1-0

_set_app_type
__p___argc
__p___argv
__p___wargv
__p__acmdln
__sys_errlist
__sys_nerr
_assert
_cexit
_configure_narrow_argv
_configure_wide_argv
_crt_at_quick_exit
_crt_atexit
_errno
_exit
_fpreset
_initialize_narrow_environment
_initialize_wide_environment
_initterm
_set_invalid_parameter_handler
abort
exit
raise
signal
strerror

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__p__commode
__p__fmode
__stdio_common_vfwprintf
__stdio_common_vsprintf
__stdio_common_vsscanf
__stdio_common_vswprintf
_fileno
_fseeki64
_lseeki64
_wfopen
_write
fclose
feof
ferror
fflush
fgets
fopen
fputc
fputs
fread
fseek
ftell
fwrite
rewind
setvbuf
_write
_setmode
_read
_open
_fileno
_close

api-ms-win-crt-string-l1-1-0

_strlwr_s
isspace
isupper
memset
strcat
strcmp
strcpy
strcspn
strlen
strncat
strncmp
strncpy
strpbrk
strspn
tolower
wcscat
wcscmp
wcscpy
wcslen
_wcsnicmp
_stricmp
_strdup
_strdup

api-ms-win-crt-time-l1-1-0

__daylight
__timezone
__tzname
_difftime32
_difftime64
_gmtime64
_mktime64
_time32
_time64
_tzset
strftime

api-ms-win-crt-utility-l1-1-0

_byteswap_uint64
bsearch
qsort
rand
srand

user32

CharUpperA
EnumDisplayMonitors
EnumWindows
FindWindowA
GetDC
GetProcessWindowStation
GetSystemMetrics
GetUserObjectInformationW
GetWindowTextA
MessageBoxW
ReleaseDC
SendMessageA

ws2_32

WSACleanup
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAGetLastError
WSAIoctl
WSAResetEvent
WSASetEvent
WSASetLastError
WSAStartup
WSAStringToAddressW
WSAWaitForMultipleEvents
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyaddr
gethostbyname
gethostname
getpeername
getservbyname
getservbyport
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Sections

.text
Size: 4.8MB - Virtual size: 4.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 12KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 211KB - Virtual size: 210KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

51b39aff649af7abc30a06f2362db069

Code Sign

33:00:9f:7b:73:4d:b0:48:04:11:eb:0b:ba:00:00:00:9f:7b:73Certificate

e9:d1:7d:a5:95:45:54:5d:3d:93:6d:cd:8e:0b:2b:b2:80:ea:b5:a7:62:9b:9f:90:04:00:4b:e4:16:56:f7:a3Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

crypt32

gdi32

gdiplus

iphlpapi

kernel32

msvcrt

ole32

shell32

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

user32

ws2_32

Sections

.text Size: 4.8MB - Virtual size: 4.8MB

.data Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.eh_fram Size: 19KB - Virtual size: 19KB

.bss Size: - Virtual size: 12KB

.idata Size: 11KB - Virtual size: 11KB

.CRT Size: 512B - Virtual size: 48B

.tls Size: 512B - Virtual size: 8B

.reloc Size: 211KB - Virtual size: 210KB

33:00:9f:7b:73:4d:b0:48:04:11:eb:0b:ba:00:00:00:9f:7b:73
Certificate

e9:d1:7d:a5:95:45:54:5d:3d:93:6d:cd:8e:0b:2b:b2:80:ea:b5:a7:62:9b:9f:90:04:00:4b:e4:16:56:f7:a3
Signer

.text
Size: 4.8MB - Virtual size: 4.8MB

.data
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.eh_fram
Size: 19KB - Virtual size: 19KB

.bss
Size: - Virtual size: 12KB

.idata
Size: 11KB - Virtual size: 11KB

.CRT
Size: 512B - Virtual size: 48B

.tls
Size: 512B - Virtual size: 8B

.reloc
Size: 211KB - Virtual size: 210KB