cryptbot | 3c2344feb9285b062e0ccdcf36ca24821baaaa7c1d15411018cbabfed0ef1f28 | Triage

Sharing

General

Target

6b6b2fa135738671e1a1f90ddd5fe4f567b1b7d9415ea8ebc32b56f846dca607.zip
Size

4.2MB
Sample

250211-qtvy4atmen
MD5

9d05dcd76c839379c072af428475c442
SHA1

b770c84390ccef819ba102dbf31826159734c870
SHA256

3c2344feb9285b062e0ccdcf36ca24821baaaa7c1d15411018cbabfed0ef1f28
SHA512

c64b57eaa61e62a21c5409188e70f401f1299efe4e251584aa16c8334308a02aee5fdfc879c857c8e5736d69978641ad48c7683387835e34a65ffbc996fb15d8
SSDEEP

98304:GJOiSL/PW7itrUtCWwb6n4+OewGaoMKN8fkZ073GPgeqXRE7kbmwofF79F:GJerWGtrGSOxU0akdPT0OkbTofF79F

Score

10^/10

cryptbot defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

http://home.fivepp5sb.top/joLepLgSzIBRhlkJbQYx17

Targets

- Target
  
  6b6b2fa135738671e1a1f90ddd5fe4f567b1b7d9415ea8ebc32b56f846dca607.exe
- Size
  
  6.2MB
- MD5
  
  3b8e1edc5b493c9ff10823942054d3bc
- SHA1
  
  9b5979457a083498360f2f8c802b31a4710f7bbe
- SHA256
  
  6b6b2fa135738671e1a1f90ddd5fe4f567b1b7d9415ea8ebc32b56f846dca607
- SHA512
  
  79b0b50fece8ab2a0c55878ca607f98ccbf1fc8c00a97d404c5ac6c20df78af1f7bdba060cd0a856974c4660833d359c5f33399b1a0a3839e3c1555ae04bad2b
- SSDEEP
  
  98304:ndfBvDtB9eRVW1fLIfxIeDdgVOGG380vJNdE5zPeTWdAoH:ZBvMiLIZIeqVOGGvKzPeTgAu
Score

10^/10

cryptbot defense_evasion discovery spyware stealer
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Cryptbot family
  cryptbot
- Enumerates VirtualBox registry keys
  defense_evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cryptbotdefense_evasiondiscoveryspywarestealer

behavioral2

cryptbotdefense_evasiondiscoveryspywarestealer