cryptbot | e800748200482e5f07c3a95ec2207a913a328b296354d2844ce6db4bdae13c22

General

Target

2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
Size

2.4MB
MD5

487903861a4dc2c9e0649f52508bf7d7
SHA1

2b9bc9d98fb1bc76e0f23b4b1ab9db62c8518f6f
SHA256

e800748200482e5f07c3a95ec2207a913a328b296354d2844ce6db4bdae13c22
SHA512

56c98153cc1e99d33547de73a2a6944606b8f31c4a7b1a0e1a8f136d73dc7e04181ce4667c967d860b8cc2bed046384698ef2e2fbe1e6da6c2b14b8bf9d18260
SSDEEP

49152:hWftyQyTqd0YWO4r7KcPxyv2H+edzkzLBvpNaYzp1IJY4YhEB92tz2G2:hIyngl+7KcPnQzLBvA7Bm

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5028	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4952	244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe	105
PID 244 wrote to memory of 4952	244	2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe	105
PID 4952 wrote to memory of 5028	4952	cmd.exe	107
PID 4952 wrote to memory of 5028	4952	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\bJZTgokIQSmZ & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2025-04-07_487903861a4dc2c9e0649f52508bf7d7_black-basta_cryptbot.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bJZTgokIQSmZ\47283761.txt

Filesize
147B

MD5
045a04805f1e840c73f59f0efee79343

SHA1
eddef47ccafb5050b8a90baf22c2ec224ede54ac

SHA256
6a141fa26b10450cb6b654a496463ebb7e7cf337dbbbef9ac4bc0c98ed7524e2

SHA512
943e435c8a8719d43d2d47df8bc08a0c1c78f8051008fd47e871ef70036c5c48e403363fd36a5de96073cc011e2396aac75ae8c79cb9ce1f3fa6c3fb29a3fbf9

Download Submit
C:\ProgramData\bJZTgokIQSmZ\Files\Files\Desktop\STARTD~1.TXT

Filesize
430KB

MD5
87f68c6043c37fb3413dc32acbf9272f

SHA1
23a3103e54685b682be1d123f15172f9c7e8d440

SHA256
ee85a69e429615a43eea79f6dfb24eab672a5311a3c9d23eb1527fc5ed19d719

SHA512
782b11798980197a949029fa2ba035c53f008fb07229bdde67cd8889d908e4bfe8f929a5f91755d95ccfbe43f511767a02afe957af419c9a7fa6cc05e06a8326

Download Submit
C:\ProgramData\bJZTgokIQSmZ\Files\_Info.txt

Filesize
10KB

MD5
11fa671a1ac63a397a44267cbb8a7fc0

SHA1
63675df51b1be2d8b31466ea50aed598225598c4

SHA256
25fa3311c33523af8388391c169d2c14fb1d15a4b2455577d497f1b5bbc40052

SHA512
7e1a2445685ffdb46d958352317bf44d445974e5618720a38e4aa5b52635e2b5801cac8bcddca44a912741ab17f9e1c35abf6ff0a8842ccd9d46aa7da3badb21

Download Submit
C:\ProgramData\bJZTgokIQSmZ\Files\_Screen.jpg

Filesize
57KB

MD5
eddbe2e2c0a0427f353a0b4c01509298

SHA1
0fbbc53ac94ed19012835fe76b4ae34730337925

SHA256
3a05febb3217532c21b9980c633d42580ccd9ca06b189cdd6c8f179b606135a4

SHA512
aba4717b6b33e9f9c931ed074d819fa244d798fd7e87e5b10e726e18d05f7e16a2965627e885183ad6d64849cd82d002ba9ed66669bd99d76f70cf6e66e8f1e1

Download Submit
C:\ProgramData\bJZTgokIQSmZ\HgulO5VygYyAWR.zip

Filesize
484KB

MD5
75edaead37ec7080d99d6d62694f3645

SHA1
3b82cd96482acc45cb1a23c44e2141af3116fbc0

SHA256
e3fa45095ac32191bffd261d05accd1d7c8c81ac33b07ffe4cfc17f34cde9bde

SHA512
f7292357bb7f7b1e8a27c1775aa11a02d18fd2e254222449d20d66bcf4c5f7c25c0ffef27e650b54903c72a52ba66de003a6c510c26ff06e8953bc487da5a23c

Download Submit
C:\ProgramData\bJZTgokIQSmZ\MOZ_CO~1.DB

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
memory/244-0-0x0000000140000000-0x0000000140437000-memory.dmp

Filesize
4.2MB

Download
memory/244-1-0x0000000140000000-0x0000000140437000-memory.dmp

Filesize
4.2MB

Download
memory/244-237-0x0000000140000000-0x0000000140437000-memory.dmp

Filesize
4.2MB

Download
memory/244-264-0x0000000140000000-0x0000000140437000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads