cryptbot | bb33888bcc3646f998d17be14e452edbe436fde2bc4d590e5989abc741114170

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e17a857d7e34fd726086174cdceae706.exe
Size

1.4MB
MD5

e17a857d7e34fd726086174cdceae706
SHA1

0d79caffb9270e68d920a51247ae8fc93240bad6
SHA256

bb33888bcc3646f998d17be14e452edbe436fde2bc4d590e5989abc741114170
SHA512

bd253c2139b04991b70dcad0f7c6be085224e91fe4d1171db828dbec6841184137258fb74f42e2254fcc1a93389f46940d7aae541bcfa1d4b2699aa7b4d2e7b0
SSDEEP

24576:PXUr3692k9R/BNQhEa2rnEs3H5fgxNrtvUl1IGB9Yg7p4R5KXltds2uL3uOM901a:PUr3TavQhPSEcHuvUl1IGB9YgqmRVBOc

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

ewaunl38.top

morxeg03.top

Attributes

payload_url
http://winxob04.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2736-26-0x0000000004000000-0x00000000040A3000-memory.dmp	family_cryptbot
behavioral1/memory/2736-27-0x0000000004000000-0x00000000040A3000-memory.dmp	family_cryptbot
behavioral1/memory/2736-28-0x0000000004000000-0x00000000040A3000-memory.dmp	family_cryptbot
behavioral1/memory/2736-29-0x0000000004000000-0x00000000040A3000-memory.dmp	family_cryptbot
behavioral1/memory/2736-236-0x0000000004000000-0x00000000040A3000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Chiedergli.exe.comChiedergli.exe.com

pid process

3464 Chiedergli.exe.com
2736 Chiedergli.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3464	Chiedergli.exe.com
2736	Chiedergli.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e17a857d7e34fd726086174cdceae706.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e17a857d7e34fd726086174cdceae706.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chiedergli.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Chiedergli.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Chiedergli.exe.com

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Chiedergli.exe.com

pid process

2736 Chiedergli.exe.com
2736 Chiedergli.exe.com

pid	process
2736	Chiedergli.exe.com
2736	Chiedergli.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

e17a857d7e34fd726086174cdceae706.execmd.execmd.exeChiedergli.exe.com

description	pid	process	target process
PID 1552 wrote to memory of 1744	1552	e17a857d7e34fd726086174cdceae706.exe	cmd.exe
PID 1552 wrote to memory of 1744	1552	e17a857d7e34fd726086174cdceae706.exe	cmd.exe
PID 1552 wrote to memory of 1744	1552	e17a857d7e34fd726086174cdceae706.exe	cmd.exe
PID 1552 wrote to memory of 32	1552	e17a857d7e34fd726086174cdceae706.exe	cmd.exe
PID 1552 wrote to memory of 32	1552	e17a857d7e34fd726086174cdceae706.exe	cmd.exe
PID 1552 wrote to memory of 32	1552	e17a857d7e34fd726086174cdceae706.exe	cmd.exe
PID 32 wrote to memory of 4408	32	cmd.exe	cmd.exe
PID 32 wrote to memory of 4408	32	cmd.exe	cmd.exe
PID 32 wrote to memory of 4408	32	cmd.exe	cmd.exe
PID 4408 wrote to memory of 1176	4408	cmd.exe	findstr.exe
PID 4408 wrote to memory of 1176	4408	cmd.exe	findstr.exe
PID 4408 wrote to memory of 1176	4408	cmd.exe	findstr.exe
PID 4408 wrote to memory of 3464	4408	cmd.exe	Chiedergli.exe.com
PID 4408 wrote to memory of 3464	4408	cmd.exe	Chiedergli.exe.com
PID 4408 wrote to memory of 3464	4408	cmd.exe	Chiedergli.exe.com
PID 4408 wrote to memory of 920	4408	cmd.exe	choice.exe
PID 4408 wrote to memory of 920	4408	cmd.exe	choice.exe
PID 4408 wrote to memory of 920	4408	cmd.exe	choice.exe
PID 3464 wrote to memory of 2736	3464	Chiedergli.exe.com	Chiedergli.exe.com
PID 3464 wrote to memory of 2736	3464	Chiedergli.exe.com	Chiedergli.exe.com
PID 3464 wrote to memory of 2736	3464	Chiedergli.exe.com	Chiedergli.exe.com

C:\Users\Admin\AppData\Local\Temp\e17a857d7e34fd726086174cdceae706.exe
"C:\Users\Admin\AppData\Local\Temp\e17a857d7e34fd726086174cdceae706.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c TUDT
2⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Strana.wp5
2⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^nRbIHrjhROsLXFueoUCGQaWCHgmJCoQJrlsRitwXrDfNQMIBNWdHgwJuVVwaECKIXIIMgfVtTECjeoLUGXWGSpxwBlVkeIzATHQotVhnqkNKnvtMp$" Immobile.wp5
4⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiedergli.exe.com
Chiedergli.exe.com G
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiedergli.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiedergli.exe.com G
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2736

C:\Windows\SysWOW64\choice.exe
choice /C YN /D Y /t 30
4⤵
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Appare.wp5
Filesize
634KB

MD5
850ba5203f74cc78bb761aed31e81e61

SHA1
43bdb99dcd563d9b07048ff72df51e5ba0d6c5f1

SHA256
b777a66f67dac35288f79686fc896ae1bf8af01a9a13c145a593dfd3fc850c36

SHA512
e8ec81f9efe21dd7017f08b820228dd428e186ee76d03cfa4517ea8df093922bdecf4cca437a5a295e3cf4fcbea80e19011848809392a2cdf1e6611d5441972e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiedergli.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Immobile.wp5
Filesize
872KB

MD5
1c42332a450e81729fe1352f8fa970c2

SHA1
008462f7dbe1e3af572fa00939f72d02b83fa56c

SHA256
af9373692e87d065d0b86accb27a67fb9cb082d216c1728396c13faf96d91ed4

SHA512
fcc825914b0dc35f8ec1fa2123883d0ef7e9562bf1f68c63cd38eee79efa8da87df67b6803115c8514f90f36b920b94d038760c598869f6619b20bcf35565667

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Strana.wp5
Filesize
463B

MD5
26469eac62fa8c16d8433ec5df9629ab

SHA1
d46033d8720e31c7818e725b0086e90c99d8fd3a

SHA256
df0ff4da066849fc08b1640304b3961858924f93cf8fd2590d311af62badc915

SHA512
a347f0e3ffc400176f882f18227bdb76d0325bde6385f8420910b992ee066e93ba805fa9da879f17bc7a79a5fafcee38f97207ece437002961bbf421ee07d910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sul.wp5
Filesize
707KB

MD5
636aabdf2b343aacd4954aa9faa69505

SHA1
89fa340953f7a59eb68f0cf80e8efee8618b4136

SHA256
72afe7d22814a1e35acba3c8f91a96d38947a04ff90b49c9fd5fd25f0da2e958

SHA512
67c4926ab7242f2128c96dce2cf836180eb94aa90e068b784d6c4b64589de609c5c0b5c30afb05d9145262836eccb1eb134065907ab64452d33d60530200bfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\SpQOr0XWdht.zip
Filesize
39KB

MD5
29ee7c90cc717642e610a809c3de61d5

SHA1
e0b51ac453de241722d7eab31ff2999217474579

SHA256
b24ef344885c976dea6db053a80bd783783312ba11179c0aa07109f75e2ee511

SHA512
947910da5ecb6c18bc993d28dd68d075609ecc479ef473c73837369c9d9ed671e86a52b4ef61ebf5487c377ae1a48cad8f8d069a0644c208cc729aa36dc8ba6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\_Files\_Information.txt
Filesize
2KB

MD5
e30b50b23169c2beb58114aa4d6c7893

SHA1
d6bf3d25c54d2b8079dfe838a70119f6a14c4dbc

SHA256
189b53d6c357112d65702aecac8687728c38b02fc317777040759f1a06b97b62

SHA512
652660ffcfb4034555f90c857644e2bb9917c0285f9ca27466d4a1f9cdfd83a28b1cdcf29a76745cdf04bcb988d050c0ff60ca53823d35893852e330bc4c9aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\_Files\_Information.txt
Filesize
4KB

MD5
9efa75ec6e8ecfedf770cd86847af356

SHA1
0f6c156b47a474bb7efb2bc3c160fe4b598a1b92

SHA256
564c6c2ae42373ee7e8ee3b3f5e46507ac744fff75e58994bd73db9c04312ddd

SHA512
a432fd14084a0065ca4d26740af91cddf051251dbce1c078efed0e8275d3f2811b4099a1d59fd92e0d1c7a8b5133f2df083d8f702d7bc1a2a7accdc207ae7286

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\_Files\_Information.txt
Filesize
4KB

MD5
9cc207230a2984162a83a38ac7d3c074

SHA1
0b0ccb927d53999e7db58b44166c0e31239d3ec4

SHA256
73402c4ca802d69b40ae4a32ec336564d2f91a21779780d0db55907166f86f39

SHA512
02bcaa2bc967af9a7f7f93c0fff949a0508340d453d07a18e248e0d2e4a80fd934429f533e2f6e39a41c999c4ff034ff10afe3d9cd35ce8e940dcf105f37e828

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\_Files\_Screen_Desktop.jpeg
Filesize
45KB

MD5
d983f345e0441bd85cc8ffbe17c97ddd

SHA1
3f1c341e87f827c90ef9a84c36aa3f3af93b8fb3

SHA256
5ffb292ab81d76bcd412455fe6ebc781456ac1dcf0503df916a4113605db0eed

SHA512
7d290656f70321ce785b64c0d7292859faf5ce7604c4c7322e56761a1c0132b93eaa94adc261994fc3cb78cb6ad16c92a2bacaf93bec8e57af6c7198ee0f60bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\files_\system_info.txt
Filesize
1KB

MD5
7a3c62da1bd536f3800f8999ea0e9d36

SHA1
cf4a774a2c032b3047b68b29ed981854e00b1003

SHA256
15d0d55bdb0b577e4864c977468a6fc3caa7d53c00157bcecc8522481e96d533

SHA512
5b30058a13c07ad0111b5227befa57767486e103bb73950ed8bf5f53981cf48f15d83360488dbff6b1a8b3999c29eabaffa3c6fa1de94705eb40b300488fc78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\files_\system_info.txt
Filesize
1KB

MD5
09372e10982caeb2cce11eeb9d7650ce

SHA1
0132f094d1653ef6ce666b650e863fafaad50e99

SHA256
aa6f2a33407ac5ff1e066c0254a422c471a177092a30be69fccabaccc7c936c3

SHA512
7caf53deca8f53024c9175badaeffb2dd9946b38f78f8dae9edf86a429503644f7149079b167f2c4cebcdd261a4c81e998c72e5b3c16dca953bbdf176dd33928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\files_\system_info.txt
Filesize
2KB

MD5
05207f0ec02f1ce45843f9cdd89d224d

SHA1
17570b88b690e896029c9c2e1b204641a63f63ee

SHA256
f8a3219b28551f89e0183053118caa7618f15851472f3e929c4c0346072e8a52

SHA512
0564dabed38a155857e699a2dbb3ae13b6f0be3ab8d7added0c716031ad662e561a6670755028eb307972f4e90e47ad125e2116c21c79d3c54a8d9b69ea9ee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti451uxT1i\files_\system_info.txt
Filesize
7KB

MD5
23864f86d42d6e9a549e70c0167aae36

SHA1
329288aaec34dd17b47762dcc30817717a42c502

SHA256
c228d21418d71ea3317ab737de14131dafa52b3b14a71d456d94a17cd36dd4dd

SHA512
c9e25f05e8b9aed1e016f2529f3922d4caaa423491583735dc0d54bf895d0019211a3f2f456a097d6fc3619083ea70675d49002cfc2f56e2eb92abe13a5b1085

Download Submit
memory/2736-22-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2736-29-0x0000000004000000-0x00000000040A3000-memory.dmp

Filesize
652KB

Download
memory/2736-28-0x0000000004000000-0x00000000040A3000-memory.dmp

Filesize
652KB

Download
memory/2736-27-0x0000000004000000-0x00000000040A3000-memory.dmp

Filesize
652KB

Download
memory/2736-26-0x0000000004000000-0x00000000040A3000-memory.dmp

Filesize
652KB

Download
memory/2736-25-0x0000000004000000-0x00000000040A3000-memory.dmp

Filesize
652KB

Download
memory/2736-24-0x0000000004000000-0x00000000040A3000-memory.dmp

Filesize
652KB

Download
memory/2736-23-0x0000000004000000-0x00000000040A3000-memory.dmp

Filesize
652KB

Download
memory/2736-236-0x0000000004000000-0x00000000040A3000-memory.dmp

Filesize
652KB

Download