cryptbot | 6922e893e81974f1e08e48308d8ad02bee4c79a924ec9f7d594024ba63582b20

General

Target

131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Size

305KB
MD5

4309f4b4bb455f998d1fdf310cd83484
SHA1

4ee10072d4dff28efcd64d8dcd631760868d644b
SHA256

131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1
SHA512

3d730ec6e3b385a69fa62634f4776e98327bc8f5da6330b109d3de5b37339dcb97cf9bf489c548de23f6ff71b115e921d5179cf2606eba61783851462ba807bf
SSDEEP

6144:zWmk/wokUNpuDoAVUx99rpABXHxjdgwJids6m+8suhyiP:NswuNpQv299rpAVHxJgw0dsp+dTiP

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

befqlo52.top

mortos05.top

Attributes

payload_url
http://mincir07.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe

C:\Users\Admin\AppData\Local\Temp\131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
C:\Users\Admin\AppData\Local\Temp\131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe bcdedit /c set shutdown /r /f nbios /t 5
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JCebECGxPLn\LgBZYjBnLuLAwa.zip

Filesize
51KB

MD5
9bc492f7f994106ccb11b2dd5e1c1e3c

SHA1
aace84d9edc463e69e5a4cf3fd4a4e0dddfc618f

SHA256
0cfafaded8d9eb7d80ddd6f9b9410d6e3684f16e04b37c9a2d43f5464b702201

SHA512
56fab7ba816bfa1d5853eedc09e7959a4b52a77135513bc009e90b95c354c687c3ca9f22de1dbc5406ea796e714cf06d8b0e42fca600138d09ae7e732b2eecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCebECGxPLn\_Files\_Information.txt

Filesize
5KB

MD5
d89ea8811bdd6c1436c2ced14ff1e360

SHA1
e82f32029bcab8c3b421157a5969f91ef4c2270d

SHA256
7891f6cac64a16a10d80e4c8116bc36b691df691f13f2bf122f73a417fdeb91f

SHA512
46eb84e35e1640b710ee1e5ab79f9ffd9c61ece2b0bc0c2475e3f855a789beef40ed90a6e8ebe7899c466a0f34b69a72922ca2ef4a1629ae9c8bc9bd4886c751

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCebECGxPLn\xjccdHdABGnGr.zip

Filesize
51KB

MD5
a1400eee9eeeaffe7dbbcd3f3359c246

SHA1
e0972eaec5fd5995baed7687b8be2ea466a9200b

SHA256
08091739f5225826946b7c1a0905ef37ba14f7d2136f061e974e0dce90caa370

SHA512
9e27bfe01d9399a729dfaf69bf336908efb4a5b7bbedf6258cd77ed14b222823f31735d29c69448b397e422223a456ed5bf2e26d1a0624719cd4c506f2642194

Download Submit
memory/4980-126-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-161-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-121-0x0000000002C70000-0x0000000002CB5000-memory.dmp

Filesize
276KB

Download
memory/4980-120-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-123-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4980-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4980-1-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/4980-129-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-132-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-135-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-138-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-141-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-145-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-148-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-151-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-154-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-119-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/4980-158-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-164-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-166-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-170-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-172-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-177-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-181-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-2-0x0000000002C70000-0x0000000002CB5000-memory.dmp

Filesize
276KB

Download
memory/4980-184-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-187-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-190-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-192-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-195-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-197-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-200-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-203-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-205-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/4980-208-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download

Resubmissions

Analysis

Sharing