cryptbot | 5c41a08eabd0556a0f493ef5b1554437a15880a8da4fa9290eca5b5f1e91a975

General

Target

6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe
Size

361KB
MD5

724e8026fcd687cbd7808408ffbdd3ab
SHA1

d9243d3b0aa7a8d6b58b7f6f7065c9e55d4fcb34
SHA256

6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a
SHA512

28b183e5b55f2e6d57d33b571119400f149910077156b5ecd46cef95b6b6ec1e449bba05f4e2a61948d2ea55b667982e0b8a7e2f339ef7c7ac1f34fe437fc6a3
SSDEEP

6144:haYcHyGtkpjwwj9azy/DcWWrktaxJwPR3:gTHXt279+y/DcWWrFxJM

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

befyum42.top

morkoe04.top

Attributes

payload_url
http://mindoi05.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe

C:\Users\Admin\AppData\Local\Temp\6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe
"C:\Users\Admin\AppData\Local\Temp\6dbc5053ef73f361771e017473f9d53b9df951cc9e0f1d31e1218033160f2b5a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FRmsjitPpg\HsxcrjDabo.zip

Filesize
49KB

MD5
285415e2ffacec6846da3cd5e214e400

SHA1
d23a6da2b79e9474b5df774812d23843cfc526f5

SHA256
3a2162179b2a59e6eb3ce3d0bdf620e21389d71aa0f01dcf7cf87549248290d8

SHA512
bae639083fe7c6676d517bfe3746799209a0ee3017f12b237ffe7fd4459835fa25da430f91b07dd60004e244686b0081ae55716bdb0ec83a7b6fd784149971eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRmsjitPpg\_Files\_Information.txt

Filesize
7KB

MD5
9b5e19189756b2359f05c826abab260e

SHA1
654c0c22b47821c53d4aa072d7eae2dec08afdaa

SHA256
a4b107378068010b85eb5f0df6278e5b62a965c96a30a40ee27af7ce36ef030e

SHA512
b93cbfca2cf6e25484fbb5ac69ca6e768fc32e4cb2dd3e7c0f28436fc1359d29f3f8f532f128d1c67a978fb19400b7cbcdafe2dfc9a99bf3a5d9172ed9e1913b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRmsjitPpg\_Files\_Screen_Desktop.jpeg

Filesize
54KB

MD5
b622f427b34ea4580672a199b577dd08

SHA1
536f4ce290b1faa94c0ef94dd9721b98fbdb7adc

SHA256
743f389d3206f521bf42825a98ab5b3b3cfd20f5d2ab670b2cba33af50659db9

SHA512
04937ca7dbbb62ce8378913234f420426eacc7d5a92b9d2669d0b4f9e37a2fd89f0e7441cf5df84d3e6fe7850d3be3decee9ec518cbeb333282243f54771b45f

Download Submit
memory/4932-119-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/4932-131-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-1-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/4932-120-0x0000000004B10000-0x0000000004B55000-memory.dmp

Filesize
276KB

Download
memory/4932-122-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4932-121-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-125-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-2-0x0000000004B10000-0x0000000004B55000-memory.dmp

Filesize
276KB

Download
memory/4932-128-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4932-135-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-138-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-141-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-144-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-147-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-150-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-153-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-156-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-159-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download
memory/4932-163-0x0000000000400000-0x0000000002DB1000-memory.dmp

Filesize
41.7MB

Download

Analysis

Sharing