cryptbot | 63be92fd1c59c06bf508be25efd2d490143f86dea412f507738111da7e516ddb

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df8a640b27ba57ed68bd74d105225fb2.exe
Size

1.4MB
MD5

df8a640b27ba57ed68bd74d105225fb2
SHA1

0acb4fd31f72087c30cfca2e7e02567fd3793881
SHA256

63be92fd1c59c06bf508be25efd2d490143f86dea412f507738111da7e516ddb
SHA512

6c0f2bc513d808a1d35ed8458843e452e7fd58f925b25b502c48c83c4cd50e5a415f6636e263ea42c8a4f0be6a3e3e812fdbe080d01db58f62ea9110ee198308
SSDEEP

24576:wg41CI4yDlcBuTWT93Y15QmX9uTPGhPKFp3GAeTWqCQi364Iqhl+PPrA/hkGhdHT:94v4UcB3I8mX9sPGhPOGAyWd64Iqh08h

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

haiusm13.top

morhas01.top

Attributes

payload_url
http://zelcax01.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1844-28-0x0000000003960000-0x0000000003A03000-memory.dmp	family_cryptbot
behavioral1/memory/1844-29-0x0000000003960000-0x0000000003A03000-memory.dmp	family_cryptbot
behavioral1/memory/1844-30-0x0000000003960000-0x0000000003A03000-memory.dmp	family_cryptbot
behavioral1/memory/1844-31-0x0000000003960000-0x0000000003A03000-memory.dmp	family_cryptbot
behavioral1/memory/1844-250-0x0000000003960000-0x0000000003A03000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Congiunte.exe.comCongiunte.exe.com

pid process

2836 Congiunte.exe.com
1844 Congiunte.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeCongiunte.exe.com

pid process

1988 cmd.exe
2836 Congiunte.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2836	Congiunte.exe.com
1844	Congiunte.exe.com

pid	process
1988	cmd.exe
2836	Congiunte.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

df8a640b27ba57ed68bd74d105225fb2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df8a640b27ba57ed68bd74d105225fb2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Congiunte.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Congiunte.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Congiunte.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1676 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Congiunte.exe.com

pid process

1844 Congiunte.exe.com
1844 Congiunte.exe.com

pid	process
1676	PING.EXE

pid	process
1844	Congiunte.exe.com
1844	Congiunte.exe.com

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

df8a640b27ba57ed68bd74d105225fb2.execmd.execmd.exeCongiunte.exe.com

description	pid	process	target process
PID 2008 wrote to memory of 2316	2008	df8a640b27ba57ed68bd74d105225fb2.exe	dllhost.exe
PID 2008 wrote to memory of 2316	2008	df8a640b27ba57ed68bd74d105225fb2.exe	dllhost.exe
PID 2008 wrote to memory of 2316	2008	df8a640b27ba57ed68bd74d105225fb2.exe	dllhost.exe
PID 2008 wrote to memory of 2316	2008	df8a640b27ba57ed68bd74d105225fb2.exe	dllhost.exe
PID 2008 wrote to memory of 2252	2008	df8a640b27ba57ed68bd74d105225fb2.exe	cmd.exe
PID 2008 wrote to memory of 2252	2008	df8a640b27ba57ed68bd74d105225fb2.exe	cmd.exe
PID 2008 wrote to memory of 2252	2008	df8a640b27ba57ed68bd74d105225fb2.exe	cmd.exe
PID 2008 wrote to memory of 2252	2008	df8a640b27ba57ed68bd74d105225fb2.exe	cmd.exe
PID 2252 wrote to memory of 1988	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 1988	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 1988	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 1988	2252	cmd.exe	cmd.exe
PID 1988 wrote to memory of 2980	1988	cmd.exe	findstr.exe
PID 1988 wrote to memory of 2980	1988	cmd.exe	findstr.exe
PID 1988 wrote to memory of 2980	1988	cmd.exe	findstr.exe
PID 1988 wrote to memory of 2980	1988	cmd.exe	findstr.exe
PID 1988 wrote to memory of 2836	1988	cmd.exe	Congiunte.exe.com
PID 1988 wrote to memory of 2836	1988	cmd.exe	Congiunte.exe.com
PID 1988 wrote to memory of 2836	1988	cmd.exe	Congiunte.exe.com
PID 1988 wrote to memory of 2836	1988	cmd.exe	Congiunte.exe.com
PID 1988 wrote to memory of 1676	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1676	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1676	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1676	1988	cmd.exe	PING.EXE
PID 2836 wrote to memory of 1844	2836	Congiunte.exe.com	Congiunte.exe.com
PID 2836 wrote to memory of 1844	2836	Congiunte.exe.com	Congiunte.exe.com
PID 2836 wrote to memory of 1844	2836	Congiunte.exe.com	Congiunte.exe.com
PID 2836 wrote to memory of 1844	2836	Congiunte.exe.com	Congiunte.exe.com

C:\Users\Admin\AppData\Local\Temp\df8a640b27ba57ed68bd74d105225fb2.exe
"C:\Users\Admin\AppData\Local\Temp\df8a640b27ba57ed68bd74d105225fb2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Ricordate.ppt
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^sAlOwSRkffDQRIpqoxRyxgxGHOTkPJCaPVwkEpEUxgFMeGWAoKZpPfFruDuhYFvFMkqWGYvYPXKyJHDwRaryKaCAdYywrdWOSqqRFqTpgwzSEAxmZtvFCdVzJAFITxUnqVhJHMvQmTRIZJVQEGwYU$" Chiedergli.ppt
4⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
Congiunte.exe.com k
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com k
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1844

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiedergli.ppt
Filesize
872KB

MD5
7484935a5926b82e75b887c088116124

SHA1
4c618326ca9d79cea9e965b4f466aa090992f879

SHA256
c02d3ec1eb496fec19e09155f32f3e029bc093f992391bc5e6bdc070e2f07d73

SHA512
a6d69c3632a6b8c8205a15f988b4e48c622b52a06139ed3fa713be5ea2a6598ffe570a41e38596c706f39a68be78765dd9649b1f72cff401785b115fe66c0835

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
Filesize
384KB

MD5
16caf563e4f5e233830f744c6a5f7c8f

SHA1
f781991271cf75b72a4cd2d1b3d09c3174fc04de

SHA256
55cac62e2a0754bfbb38d0799c01dfb60b7178f01d4d20882d7be0c5832dd5f3

SHA512
5dc0b468ebdba6fb8a22c0372382a228c7a2c4aa14915c991b09870af671a550b1ac720c090aca66901a41b59c4a9aa3b60411ce69f90bc90e0c15b8e2399139

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
Filesize
320KB

MD5
061f2b617af3ee73f7b065c2cd169b97

SHA1
d9798abdb6aedb4b8593115d7911cbfb32bce4f2

SHA256
52772775f9ac9c2dbc6c2e4a8cfb4bbab2f7de1f9ac705a634e78edf2987cacb

SHA512
e1dbbc3a58ae6d0765edd5347e5af58635f463aca580e26937b15d048a5863cde05c3e80a35c96bc62a70d44c8b66fdb4d325c849cff676d5fe0ad62676da44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ricordate.ppt
Filesize
580B

MD5
8af4f52e6b5c5e8b75b4896269822897

SHA1
a5d2aa9295fcd0564fbc56e111e761f9cec44f98

SHA256
e8f99ceb985beacb62bd58e52c1559e70964cb58642889dc5dfc02ac011577a6

SHA512
c186acf777e74c1143d34a6df6e8a1e6dfcdccdbe9b4f16a177f46127036546245b2cc8e8ce5f248ace5385cf7d472093d0bf00d3bdf5bbbc0841948e3b83a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sfaldavano.ppt
Filesize
634KB

MD5
583b1b8e296e1ac5c9bfbbea75535ae2

SHA1
99fce7f722eee8a5e6008a55ba7f91f80ea772d3

SHA256
bbcd3d461757a7bc3313eed80243e13a03672b534caae3cd91779f2716196758

SHA512
7dfe528f7d5f9d1e066b7c892ec565b1c85e393bd95c8decd14e6013146405fa5d23f0e803bdce3c2694309160125f3af8f79ed0ed87d397a12cdaac86225701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tenue.ppt
Filesize
668KB

MD5
7e91e5014e1b4f01958d566835ffd147

SHA1
4dc51048b6b51118a08b4770fae94a4c31da0ed9

SHA256
46c707057c1fd67eb08a9d1b229ff97b82338f17a450295f46c97c316972b358

SHA512
3fe3a7b0a1bbd8666e25c4a021bb86c5949dfb75edc97c66e23aa4447a1dd815979c78ae3b590816777cf744c08828acb29d728b20fcd37a83aaa34e1c0c6fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\_Files\_Information.txt
Filesize
5KB

MD5
55ceefabf6682c77d510c16595e2099d

SHA1
95a706a8c90ca9053fe74c71e4208ab944a8ff49

SHA256
92eb78a6563bcde6d15218ebfec93d23d6b728ff9e766eb4d81db556bc91a190

SHA512
2e6a0d02314f83153096e3e6fd1cf8104a75363265767b13a14fde16bcb1ffac042afdfdd876128bb3fd550414892dbcd2f14fc9d5318c469ecf3981442fc125

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\_Files\_Information.txt
Filesize
1KB

MD5
f84ae597c64417c92dedb9588fd6ea60

SHA1
c6096b42e0f9a2f838537f5a025b293272adcc79

SHA256
05e5067a6ead0934c3e42c8e063c67660e76a77706e0964add406263e1cb9336

SHA512
2b498b6b02320c753208c2c8de8df4b830e4eac6193427d2df6222b81a0c6649da1b4e64590bfa87991c14c5c0a58ccb640098da7273ded98daf10089011508b

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\_Files\_Information.txt
Filesize
3KB

MD5
1cf9be70270d320378bf912a2a22372a

SHA1
4fd6546ef34d31cf9ccd0567419d6633f140f186

SHA256
52debf9f1ee49c1f49477fc94859b3a46ef1b35133d497351dd81e13e1429308

SHA512
79d30ae0366ed9dfdec59fcca9d1eba85af747512b3c0bee398eef36f3ed5d1063eb78d1f0d000c97b691fec6a0f6f4acec99a540c3c84c5d0816265dd561656

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\_Files\_Information.txt
Filesize
3KB

MD5
b788d9216a4ce77bcb893c3838844641

SHA1
471ba32aa15161b3cba6868731e7829c24ec48da

SHA256
3f2b5aa4e8a7a023c723b352b77fa4412941400b9b6adf83ffd419eec14e6c3e

SHA512
c7cfa02dd8d7576d684b5aadb98520ae804c082cc7b0c59bf2d9f9c6b38e4c62761443496a16d802e853f3f53e402387b4c8397090a526993628c69e67efb75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\_Files\_Information.txt
Filesize
3KB

MD5
7cf0b9b7823e87797f169684b7af4ee7

SHA1
163f67df0bd19c3951df734b22b200003fb84fe0

SHA256
17ea5f7d2ec015facea76098569208c95ddfbe23176a2f02c74da626ff66700b

SHA512
ee2cd5ac126a6e3993dc4bcf2b8b8b9b46b2de4b03e47afea59026119b9cc8729e4f02e3587bbb1ca80892d17d19919d2e258127de35a92ee405189ab9df9c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\_Files\_Screen_Desktop.jpeg
Filesize
45KB

MD5
6feb33eb3ea0f36bf7ee93e0ff1869f5

SHA1
a775577168eac1d923f7bec2dc8eec1db52040ab

SHA256
3f99e34f2955131da5196fdcab9d48d5fb8a7222cabcb3eb8a991bd8fe4de00d

SHA512
6cf448c0ffddb44d127746e7d60a7ce48e79926afce1489a758a0ec39865ffb19bfdf5435ed841d44bf992fe71dddd9ff634ce1bc5c583d830251b8a1236a99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\cY0r7hfyxIH2.zip
Filesize
38KB

MD5
e0d535f81f842701193c63c12345bbf1

SHA1
371c2b5167815afdeeb8aef902669337fe7848cb

SHA256
da4675e1aa98e859fd3af3f1d690dafdf3ec486832df9e8b1ab17cfc9f0f97e9

SHA512
23d183b8738fc3531ee89c93c648780dc7a90e56fa5ec84b7282e3729e341246e2a6bd26b2dff37059f8e9c8a096cee03b1344aa0ada69daea8d0c837605eeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\files_\system_info.txt
Filesize
1KB

MD5
58db85e8765548e0d0e0d76555825107

SHA1
dce7a7809a48e8f549d3bef6f3aed67a08594892

SHA256
40fd5410d2c880a873e1f4a661650a82a74b3a6b8242f1bfd19d1a955d3406ae

SHA512
d74c978e15b8cb62018e80456c6cc2705bf02987343cb1f160c28da5aebeab7032d070ec851eae2c597454038c8985d7005c7c4433d3434d6d6bf59a7bd1a8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\files_\system_info.txt
Filesize
3KB

MD5
3865cb07a872e685e3125f605a7e0977

SHA1
66b7518b2b23098a16ed3f519b4556aca6dab323

SHA256
403c02745b1d9137972f5f613f2913c8240ebe58aa191dbe5281bcae17524c59

SHA512
0400e8dce7997dff95209e527d7030e1e069696cab3e8b1f6999c967b0717431ebb758e2cb5912e7fc098f0e048ecf212ee55be2497ff321ab85db98eaf84067

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\files_\system_info.txt
Filesize
3KB

MD5
909700ed145efa320153972ec9115dda

SHA1
8c93f9358ba556bd4da9e1c16ddb7e66cd9f0534

SHA256
10447bccfeea1e9b023cc1680b77baebcfa140688a5967f27e33adbab0adb653

SHA512
869f08e1cbad102db8379e679f88702d3ef9621e3fb3ee04c4cc0a97ced9b3ae9867331a24b2fd0d26308abb214a4477eeefc2204f743b59961011e53e306953

Download Submit
C:\Users\Admin\AppData\Local\Temp\voiNHfOqlW7\files_\system_info.txt
Filesize
5KB

MD5
b621d75e3cd829628bdc16b2ca49118a

SHA1
1e021cb7b20a305aa83664888bc097155c3e599d

SHA256
76a775f7d1a6f64cf5b42530c9996185088f54458dac97bfec5417596a841cc5

SHA512
53a1d0009939986a0ac9458631ffe90e373ff6d7cf7aa8c416b1f94a45a9e81c17b6e6dff090cfad5458462f7f2952cc7d9b8f5bc5d9d6e528a0cc1e81fba2ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
Filesize
448KB

MD5
198c2107147f05ed821c761617e3cfcb

SHA1
42f8af1e1a5ef0b08c09bccf3713fd13b2edaae0

SHA256
7005bb5f6e3710a888cb03fa55ed2032cc52b110375bdef44eea00de9c994353

SHA512
2be55ce9c78cdef7a93a14b913dd1b4e07fae46259f1f7387fb273a9bb580b2809f72a6804e52172b3d8901c746d25799619cdd75aa0b348d406d8f7d5b8dc98

Download Submit
memory/1844-28-0x0000000003960000-0x0000000003A03000-memory.dmp

Filesize
652KB

Download
memory/1844-26-0x0000000003960000-0x0000000003A03000-memory.dmp

Filesize
652KB

Download
memory/1844-27-0x0000000003960000-0x0000000003A03000-memory.dmp

Filesize
652KB

Download
memory/1844-30-0x0000000003960000-0x0000000003A03000-memory.dmp

Filesize
652KB

Download
memory/1844-29-0x0000000003960000-0x0000000003A03000-memory.dmp

Filesize
652KB

Download
memory/1844-32-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1844-31-0x0000000003960000-0x0000000003A03000-memory.dmp

Filesize
652KB

Download
memory/1844-25-0x0000000003960000-0x0000000003A03000-memory.dmp

Filesize
652KB

Download
memory/1844-250-0x0000000003960000-0x0000000003A03000-memory.dmp

Filesize
652KB

Download
memory/1844-252-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1844-24-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download