Extracted

• • Target

    021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba.exe

  • Size

    1.8MB

  • MD5

    d8a8599e2325010e356d1bf13395e0af

  • SHA1

    689a59ba3a0c4cfcbae7201cc09a986bc968b8f2

  • SHA256

    021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba

  • SHA512

    a56632b88a8b5e2bb938ee68a6a672650d2386ea18975b9d58156f2ad9efac5e4d6fa574e4c28a213cffd5c44c0355c5005e04b9801c92fe2ceef4a342e08799

  • SSDEEP

    49152:6sOXm4VF5ZCVpSm3/gjkl0+827d/GpncQ:6nxwDf3IjX27ocQ

  Score

  10^/10

  cryptbotdefense_evasiondiscoveryspywarestealer

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot payload

  • Cryptbot family

    cryptbot

  • Manipulates Digital Signatures

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Deobfuscate/Decode Files or Information

    Payload decoded via CertUtil.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2