cryptbot | 5c41a08eabd0556a0f493ef5b1554437a15880a8da4fa9290eca5b5f1e91a975

General

Target

6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe
Size

361KB
MD5

724e8026fcd687cbd7808408ffbdd3ab
SHA1

d9243d3b0aa7a8d6b58b7f6f7065c9e55d4fcb34
SHA256

6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a
SHA512

28b183e5b55f2e6d57d33b571119400f149910077156b5ecd46cef95b6b6ec1e449bba05f4e2a61948d2ea55b667982e0b8a7e2f339ef7c7ac1f34fe437fc6a3
SSDEEP

6144:haYcHyGtkpjwwj9azy/DcWWrktaxJwPR3:gTHXt279+y/DcWWrFxJM

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

befyum42.top

morkoe04.top

Attributes

payload_url
http://mindoi05.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe

C:\Users\Admin\AppData\Local\Temp\6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe
"C:\Users\Admin\AppData\Local\Temp\6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gdlbKOLMvo\_Files\_Information.txt

Filesize
5KB

MD5
2bf01caa35dca128bdc84f48faea596e

SHA1
07e278d5ef7e03f6fe0a720ef61c4feeeaf63bf0

SHA256
850cfa1cecac9fc7d6289f2e039a24b7a1efa28e869723355abf71d337fb8712

SHA512
b73746f397d34f7870741bb0895541cbbba0b3a439356abc1bc699fac19076964e83b453a4e3aba2d50639cbabcbae973b94292fe49b031647bba59caefd40da

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdlbKOLMvo\_Files\_Screen_Desktop.jpeg

Filesize
56KB

MD5
b295ad7c68bfddf0f2efd183642b8ff2

SHA1
57499af38da00be4791cb4b38b5333e96f9b83cd

SHA256
4cace41b8b9afdd7ca74b5b25d8e523f3dd5b098f75e5d63b5556d89d3b119a4

SHA512
d7fad97eb05a4fdf146e9291d11262ffc23cd92e57ca195ca94f6bd9df3ce9d19083ce08faf999c82553d2225c8f042479828b6a5adfed774259284425243c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdlbKOLMvo\fnASpLDCYe.zip

Filesize
51KB

MD5
66d1a82fa26bbc9fcf64035eea23c35f

SHA1
a86559221fdd658c21e3dade11f199586047af9c

SHA256
ce5e29220cc967f756be21c4daf6295432d799a16581c289d75c28ef143749fd

SHA512
ad390cad3df4c9f30facc37309c74067437cd1c2b0e0f2afbef1e4d2f103deba3d341b26701717b305122335724b200d6016c408d718d0eeee5e023942d09a1c

Download Submit
memory/5076-119-0x0000000002F50000-0x0000000003050000-memory.dmp

Filesize
1024KB

Download
memory/5076-132-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-1-0x0000000002F50000-0x0000000003050000-memory.dmp

Filesize
1024KB

Download
memory/5076-120-0x0000000004AF0000-0x0000000004B35000-memory.dmp

Filesize
276KB

Download
memory/5076-122-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5076-121-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-125-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-2-0x0000000004AF0000-0x0000000004B35000-memory.dmp

Filesize
276KB

Download
memory/5076-128-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5076-135-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-138-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-140-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-144-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-147-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-149-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-152-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-155-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-158-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/5076-160-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download

Analysis

Sharing