cryptbot | 6922e893e81974f1e08e48308d8ad02bee4c79a924ec9f7d594024ba63582b20

Resubmissions

26/03/2025, 10:06

250326-l46fcswqt7 10

26/03/2025, 06:54

250326-hn7fyasls3 10

Analysis

max time kernel
237s
max time network
242s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Size

305KB
MD5

4309f4b4bb455f998d1fdf310cd83484
SHA1

4ee10072d4dff28efcd64d8dcd631760868d644b
SHA256

131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1
SHA512

3d730ec6e3b385a69fa62634f4776e98327bc8f5da6330b109d3de5b37339dcb97cf9bf489c548de23f6ff71b115e921d5179cf2606eba61783851462ba807bf
SSDEEP

6144:zWmk/wokUNpuDoAVUx99rpABXHxjdgwJids6m+8suhyiP:NswuNpQv299rpAVHxJgw0dsp+dTiP

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

befqlo52.top

mortos05.top

Attributes

payload_url
http://mincir07.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Deletes itself 1 IoCs

pid	Process
1288	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3008	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1288	2548	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe	30
PID 2548 wrote to memory of 1288	2548	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe	30
PID 2548 wrote to memory of 1288	2548	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe	30
PID 2548 wrote to memory of 1288	2548	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe	30
PID 1288 wrote to memory of 3008	1288	cmd.exe	32
PID 1288 wrote to memory of 3008	1288	cmd.exe	32
PID 1288 wrote to memory of 3008	1288	cmd.exe	32
PID 1288 wrote to memory of 3008	1288	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
C:\Users\Admin\AppData\Local\Temp\131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe bcdedit /c set shutdown /r /f nbios /t 5
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\fQekqnvghc & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-1-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/2548-2-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/2548-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2548-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2548-5-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/2548-4-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download