cryptbot | 63be92fd1c59c06bf508be25efd2d490143f86dea412f507738111da7e516ddb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df8a640b27ba57ed68bd74d105225fb2.exe
Size

1.4MB
MD5

df8a640b27ba57ed68bd74d105225fb2
SHA1

0acb4fd31f72087c30cfca2e7e02567fd3793881
SHA256

63be92fd1c59c06bf508be25efd2d490143f86dea412f507738111da7e516ddb
SHA512

6c0f2bc513d808a1d35ed8458843e452e7fd58f925b25b502c48c83c4cd50e5a415f6636e263ea42c8a4f0be6a3e3e812fdbe080d01db58f62ea9110ee198308
SSDEEP

24576:wg41CI4yDlcBuTWT93Y15QmX9uTPGhPKFp3GAeTWqCQi364Iqhl+PPrA/hkGhdHT:94v4UcB3I8mX9sPGhPOGAyWd64Iqh08h

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

haiusm13.top

morhas01.top

Attributes

payload_url
http://zelcax01.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/992-25-0x0000000004950000-0x00000000049F3000-memory.dmp	family_cryptbot
behavioral2/memory/992-26-0x0000000004950000-0x00000000049F3000-memory.dmp	family_cryptbot
behavioral2/memory/992-27-0x0000000004950000-0x00000000049F3000-memory.dmp	family_cryptbot
behavioral2/memory/992-29-0x0000000004950000-0x00000000049F3000-memory.dmp	family_cryptbot
behavioral2/memory/992-236-0x0000000004950000-0x00000000049F3000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Congiunte.exe.comCongiunte.exe.com

pid process

3828 Congiunte.exe.com
992 Congiunte.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3828	Congiunte.exe.com
992	Congiunte.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

df8a640b27ba57ed68bd74d105225fb2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df8a640b27ba57ed68bd74d105225fb2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Congiunte.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Congiunte.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Congiunte.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2844 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Congiunte.exe.com

pid process

992 Congiunte.exe.com
992 Congiunte.exe.com

pid	process
2844	PING.EXE

pid	process
992	Congiunte.exe.com
992	Congiunte.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

df8a640b27ba57ed68bd74d105225fb2.execmd.execmd.exeCongiunte.exe.com

description	pid	process	target process
PID 1672 wrote to memory of 3808	1672	df8a640b27ba57ed68bd74d105225fb2.exe	dllhost.exe
PID 1672 wrote to memory of 3808	1672	df8a640b27ba57ed68bd74d105225fb2.exe	dllhost.exe
PID 1672 wrote to memory of 3808	1672	df8a640b27ba57ed68bd74d105225fb2.exe	dllhost.exe
PID 1672 wrote to memory of 3464	1672	df8a640b27ba57ed68bd74d105225fb2.exe	cmd.exe
PID 1672 wrote to memory of 3464	1672	df8a640b27ba57ed68bd74d105225fb2.exe	cmd.exe
PID 1672 wrote to memory of 3464	1672	df8a640b27ba57ed68bd74d105225fb2.exe	cmd.exe
PID 3464 wrote to memory of 216	3464	cmd.exe	cmd.exe
PID 3464 wrote to memory of 216	3464	cmd.exe	cmd.exe
PID 3464 wrote to memory of 216	3464	cmd.exe	cmd.exe
PID 216 wrote to memory of 2704	216	cmd.exe	findstr.exe
PID 216 wrote to memory of 2704	216	cmd.exe	findstr.exe
PID 216 wrote to memory of 2704	216	cmd.exe	findstr.exe
PID 216 wrote to memory of 3828	216	cmd.exe	Congiunte.exe.com
PID 216 wrote to memory of 3828	216	cmd.exe	Congiunte.exe.com
PID 216 wrote to memory of 3828	216	cmd.exe	Congiunte.exe.com
PID 216 wrote to memory of 2844	216	cmd.exe	PING.EXE
PID 216 wrote to memory of 2844	216	cmd.exe	PING.EXE
PID 216 wrote to memory of 2844	216	cmd.exe	PING.EXE
PID 3828 wrote to memory of 992	3828	Congiunte.exe.com	Congiunte.exe.com
PID 3828 wrote to memory of 992	3828	Congiunte.exe.com	Congiunte.exe.com
PID 3828 wrote to memory of 992	3828	Congiunte.exe.com	Congiunte.exe.com

C:\Users\Admin\AppData\Local\Temp\df8a640b27ba57ed68bd74d105225fb2.exe
"C:\Users\Admin\AppData\Local\Temp\df8a640b27ba57ed68bd74d105225fb2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Ricordate.ppt
2⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^sAlOwSRkffDQRIpqoxRyxgxGHOTkPJCaPVwkEpEUxgFMeGWAoKZpPfFruDuhYFvFMkqWGYvYPXKyJHDwRaryKaCAdYywrdWOSqqRFqTpgwzSEAxmZtvFCdVzJAFITxUnqVhJHMvQmTRIZJVQEGwYU$" Chiedergli.ppt
4⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
Congiunte.exe.com k
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com k
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:992

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5tsWnN4O\_Files\_Information.txt
Filesize
1KB

MD5
85c69053a4be549d1f74156b5f3eb3ea

SHA1
de2c0e87015b6bc0bbba6954167693e9761841b6

SHA256
ab5a1c8276fac3f5d1d20c07a86260429f16e84c9413c31f70cbdb1673e40c46

SHA512
22628cf5912446399d9fd880acc7098c06de7463f855b7bd6ae259eeea90f2341f0a4b65d4ad306d446f8b07a506288b53b14c92dca5694687de58528ef20f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tsWnN4O\_Files\_Information.txt
Filesize
4KB

MD5
17ce7346f62678ffd2ee6c03a81379b3

SHA1
12b5f98780e80258518150ee7182c68ec31a9096

SHA256
a25676dfe61e29bca381704e3b53939aa75de9e69a451172bcb844624af13686

SHA512
ab5759f47470e627a5857fe138a5a3a20d02d7d10d6ad70e265ab24216efc4c1b143d518f6f4bb9a3f787219c6491ecd695ef1c8b20f79b7ba757a1cb319e848

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tsWnN4O\_Files\_Screen_Desktop.jpeg
Filesize
50KB

MD5
8a01ec45f1824277b8ed3f68a05a0dd2

SHA1
4380e7d642ea57397a3d66259feefc1d5813cdc4

SHA256
d11499f50f333b2433fd88ed1f33312ae6c1cec2305dfe36b6bbd115d3eeeefb

SHA512
08d0305a8523f10d87cdadb46ca4f66543ee572de80de60d8611f58fcc99c8f5d994acdbe1fa0d5d5ee0326ae33fcbc9b986b77f46fa4532b38d3b1d0eb6542a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tsWnN4O\files_\system_info.txt
Filesize
1KB

MD5
9043db74af6f9dba0945affb0e17769d

SHA1
006f1c7844d57883ec1296e62e5bcb75f2104be9

SHA256
0b3c05f6cf9898eed6f1dbe959c67939bcde8d49948c403f1466eccf73694970

SHA512
d53f744fa23f624e89cbc2fea40adfb18f279cf4a7e2e6ba32c2caf670cbc126ed04a274000692277ae4eede11c4015c60e2766615a4e94e0d7eb85c90c60c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tsWnN4O\files_\system_info.txt
Filesize
2KB

MD5
59ceeb5b45e82b13815d6e3603a2064c

SHA1
ff97ab23301af703a8625ec4251e5c1d1803811a

SHA256
3215245d1651a730060d770272c7089e6f74169715d62b9cdb28ccad1da7220e

SHA512
28f05d166d3e3bca1c2f8be8a30affe1c31a03cc18dec28a0eda7c6e1b0ca50445a7da0440c7ba80948f7ff93f355009b5d1cc10dee02c0f5214933ab7eff878

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tsWnN4O\files_\system_info.txt
Filesize
2KB

MD5
b51ee501eb4d5bb7e22c04d1b4032519

SHA1
fddb1a491e4b600b6ca47e1393af79b6f36f3212

SHA256
16f7a6ce78f344aec87c921fe681e03031076dfe727eaf0a9c8270380059cc1f

SHA512
73d71d259e26b6d889349260e2b0760e73f490e1d7c201e64d7a7769f0f45041fd448aab765c7207e758675fbf45b312607c79b4cd3f3ba3b8d0474c7d6000b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tsWnN4O\files_\system_info.txt
Filesize
7KB

MD5
28004f0870b53d74fde74569f3944597

SHA1
6b1cd484800e1a9167943d557d1314f04c0c7885

SHA256
668a47269c7e5c291ef19099e70da98efb94169924690a6f7d67af845e7af0e5

SHA512
d7678c3101256c2b57434416803d21833fc556a8742f0982e606c0bcd38dc503c4ca46fab47b1fa9cb9a4f214a0cc389706e50690cd078cef5b95df913aa502e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tsWnN4O\osufpsPENo.zip
Filesize
44KB

MD5
8f33a1410a36e9ef695b761bb842ddea

SHA1
b3243d9cc6db4f3baf66236f29725a10a2bc0e14

SHA256
96e2fd907449aab3eed6038e32a9388ce5e6b4d7c89f4fd83ab0cca0166c47e7

SHA512
84c83c7fec6541cd5b23acbd8d8644f5bd5eba1424fc76d50e84ecbd45a917ae45e07e1da8826f3ecdefdb4a8c7e95ce7a6a5b2cae0faa3cc95d3e4ea511e5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiedergli.ppt
Filesize
872KB

MD5
7484935a5926b82e75b887c088116124

SHA1
4c618326ca9d79cea9e965b4f466aa090992f879

SHA256
c02d3ec1eb496fec19e09155f32f3e029bc093f992391bc5e6bdc070e2f07d73

SHA512
a6d69c3632a6b8c8205a15f988b4e48c622b52a06139ed3fa713be5ea2a6598ffe570a41e38596c706f39a68be78765dd9649b1f72cff401785b115fe66c0835

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunte.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ricordate.ppt
Filesize
580B

MD5
8af4f52e6b5c5e8b75b4896269822897

SHA1
a5d2aa9295fcd0564fbc56e111e761f9cec44f98

SHA256
e8f99ceb985beacb62bd58e52c1559e70964cb58642889dc5dfc02ac011577a6

SHA512
c186acf777e74c1143d34a6df6e8a1e6dfcdccdbe9b4f16a177f46127036546245b2cc8e8ce5f248ace5385cf7d472093d0bf00d3bdf5bbbc0841948e3b83a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sfaldavano.ppt
Filesize
634KB

MD5
583b1b8e296e1ac5c9bfbbea75535ae2

SHA1
99fce7f722eee8a5e6008a55ba7f91f80ea772d3

SHA256
bbcd3d461757a7bc3313eed80243e13a03672b534caae3cd91779f2716196758

SHA512
7dfe528f7d5f9d1e066b7c892ec565b1c85e393bd95c8decd14e6013146405fa5d23f0e803bdce3c2694309160125f3af8f79ed0ed87d397a12cdaac86225701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tenue.ppt
Filesize
668KB

MD5
7e91e5014e1b4f01958d566835ffd147

SHA1
4dc51048b6b51118a08b4770fae94a4c31da0ed9

SHA256
46c707057c1fd67eb08a9d1b229ff97b82338f17a450295f46c97c316972b358

SHA512
3fe3a7b0a1bbd8666e25c4a021bb86c5949dfb75edc97c66e23aa4447a1dd815979c78ae3b590816777cf744c08828acb29d728b20fcd37a83aaa34e1c0c6fc4

Download Submit
memory/992-21-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/992-29-0x0000000004950000-0x00000000049F3000-memory.dmp

Filesize
652KB

Download
memory/992-27-0x0000000004950000-0x00000000049F3000-memory.dmp

Filesize
652KB

Download
memory/992-26-0x0000000004950000-0x00000000049F3000-memory.dmp

Filesize
652KB

Download
memory/992-25-0x0000000004950000-0x00000000049F3000-memory.dmp

Filesize
652KB

Download
memory/992-24-0x0000000004950000-0x00000000049F3000-memory.dmp

Filesize
652KB

Download
memory/992-23-0x0000000004950000-0x00000000049F3000-memory.dmp

Filesize
652KB

Download
memory/992-22-0x0000000004950000-0x00000000049F3000-memory.dmp

Filesize
652KB

Download
memory/992-236-0x0000000004950000-0x00000000049F3000-memory.dmp

Filesize
652KB

Download