cryptbot | 6922e893e81974f1e08e48308d8ad02bee4c79a924ec9f7d594024ba63582b20

General

Target

131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Size

305KB
MD5

4309f4b4bb455f998d1fdf310cd83484
SHA1

4ee10072d4dff28efcd64d8dcd631760868d644b
SHA256

131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1
SHA512

3d730ec6e3b385a69fa62634f4776e98327bc8f5da6330b109d3de5b37339dcb97cf9bf489c548de23f6ff71b115e921d5179cf2606eba61783851462ba807bf
SSDEEP

6144:zWmk/wokUNpuDoAVUx99rpABXHxjdgwJids6m+8suhyiP:NswuNpQv299rpAVHxJgw0dsp+dTiP

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

befqlo52.top

mortos05.top

Attributes

payload_url
http://mincir07.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe

C:\Users\Admin\AppData\Local\Temp\131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
C:\Users\Admin\AppData\Local\Temp\131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe bcdedit /c set shutdown /r /f nbios /t 5
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FXUnNAqZy\YpgmQXpkoEw.zip

Filesize
46KB

MD5
ce6a2c0028ac5a1fb545a76f5b4a1da1

SHA1
53a8dcf84e290e2124a67bb158daf430aede2094

SHA256
80611d6206741ad20829935f98f58af77f85e4d2096bb35f96a48676f45cb052

SHA512
313ad48e372f46ea61fb87b333847a2bc0dee9e557855ebba3dc723c77455e38764de0d2a5b4080aaf37f7ec1f860de28cfd6b14696366bf2c08c48657fa60b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXUnNAqZy\_Files\_Information.txt

Filesize
7KB

MD5
9e9f42057b052b08dce3e9b7b6c4196d

SHA1
c0fee09a4c1a300f355bd1d252a27712eabf132d

SHA256
f2634b71128fac6d337135f7e5749abae86f7b4af5daab224ee74fca49464711

SHA512
eaa3f8d2d770bb9a812c0b826cb05928fa77410e33a88f08042d26b5bc470f1173cbf0ca7b43b6ec9dce620dc109d62d4f03a5e0f6eb377a91867ef43a3da570

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXUnNAqZy\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
b447c2758dec30d2cb0f8b3d03e77bee

SHA1
455a66be91f876d0fd3928a4e29a55ead48479c0

SHA256
6e7bf6ed335a940dcbb1c36f4fd5194469c12573182fcab69be0328531b9975d

SHA512
b4b1c06177df17d5298d2046c162d5ac37a45183f631c563ddd137f303c2df262ddd842f8876629918d65eeaf0bacba94188e2d8fa93c70aa35ee2560654c927

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXUnNAqZy\ksNpALDQEkAos.zip

Filesize
46KB

MD5
957d10c58dee7fdff4de9047ff22e8a1

SHA1
997fda39a4010529f2f14cd6c4514de9fd641dcb

SHA256
9ee3931036af02b501d06432406452251ef9d5c50ba94fa6afd51f89e7ae2c8d

SHA512
72175cb5e340bcc22a33f31c30efc0b31de484bee4602b49e7d5a441c0ee8bb5e5819ed801969f076f5f953bdbcb5a27912515d110014dde43abbe83435952c9

Download Submit
memory/5896-147-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-157-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-121-0x0000000002B90000-0x0000000002BD5000-memory.dmp

Filesize
276KB

Download
memory/5896-120-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-123-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5896-125-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5896-128-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-131-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-133-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-136-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-139-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-142-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-145-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-2-0x0000000002B90000-0x0000000002BD5000-memory.dmp

Filesize
276KB

Download
memory/5896-151-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-154-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-119-0x0000000002D00000-0x0000000002E00000-memory.dmp

Filesize
1024KB

Download
memory/5896-159-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-162-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-166-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-168-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-172-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-175-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-182-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-185-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-1-0x0000000002D00000-0x0000000002E00000-memory.dmp

Filesize
1024KB

Download
memory/5896-188-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-191-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-194-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-197-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-200-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-203-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-206-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/5896-209-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download

Resubmissions

Analysis

Sharing