Extracted

• • Target

    8520d7d21039b7bbd73d0ccc72d27da6aae62dd88bf2e759046baca8c0fbd452

  • Size

    3.8MB

  • MD5

    b80fe721ecebeaaf99eb4fa7485644a7

  • SHA1

    18b6d820d5636f68f1e4b788db8500f8553629c2

  • SHA256

    8520d7d21039b7bbd73d0ccc72d27da6aae62dd88bf2e759046baca8c0fbd452

  • SHA512

    fc46e8bf1f5721dd3feb5f0703272bb66006aa1dbec3fcfa3aa58cdcb2324399e2bbb385d02041cdb0e5a2d5e492805a6a4924c8db8132b4255d03cd07c97f27

  • SSDEEP

    98304:Zs2we8EipV6574GYxThZN+5o4ZQGhNvYH3:wEipS4Ge7N+5m

  Score

  10^/10

  cryptbotcredential_accessdefense_evasiondiscoveryexecutionspywarestealeradwarepersistenceprivilege_escalation

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Cryptbot family

    cryptbot

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Enumerates VirtualBox registry keys

    defense_evasion

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2