cryptbot

Sharing

Copy URL

Twitter E-mail

General

Target

1825c3ea4b59cadb7d59f6ab4dfe9bff_JaffaCakes118
Size

11.2MB
Sample

240505-r17f5sga58
MD5

1825c3ea4b59cadb7d59f6ab4dfe9bff
SHA1

9b11e5637df36df74a99049594c9441f068c0707
SHA256

3a4fdb3a9b8a659cc336159f9473b70d747c22a357920e8052b9621f2a789310
SHA512

bbd1fda0f3e73284a7a11dfa8c44c512a1588cc20f88a67ab403bb608321840855d30752a053b29e40b4c86828b63e6d0370eb7cfcf7858ad88a2133efcf2f48
SSDEEP

196608:ATSHflKvlz/1tcko57P7sbsdN91DT7p9kGRFLHeKCaYzYSb2DfanVpfR79fLgH88:ATGflK9z17sEqrfdTFLHJYzofMpnTgHH

Score

10^/10

Malware Config

Targets

- Target
  
  1825c3ea4b59cadb7d59f6ab4dfe9bff_JaffaCakes118
- Size
  
  11.2MB
- MD5
  
  1825c3ea4b59cadb7d59f6ab4dfe9bff
- SHA1
  
  9b11e5637df36df74a99049594c9441f068c0707
- SHA256
  
  3a4fdb3a9b8a659cc336159f9473b70d747c22a357920e8052b9621f2a789310
- SHA512
  
  bbd1fda0f3e73284a7a11dfa8c44c512a1588cc20f88a67ab403bb608321840855d30752a053b29e40b4c86828b63e6d0370eb7cfcf7858ad88a2133efcf2f48
- SSDEEP
  
  196608:ATSHflKvlz/1tcko57P7sbsdN91DT7p9kGRFLHeKCaYzYSb2DfanVpfR79fLgH88:ATGflK9z17sEqrfdTFLHJYzofMpnTgHH
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  bf712f32249029466fa86756f5546950
- SHA1
  
  75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
- SHA256
  
  7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
- SHA512
  
  13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
- SSDEEP
  
  192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/UAC.dll
- Size
  
  14KB
- MD5
  
  adb29e6b186daa765dc750128649b63d
- SHA1
  
  160cbdc4cb0ac2c142d361df138c537aa7e708c9
- SHA256
  
  2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
- SHA512
  
  b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
- SSDEEP
  
  192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  4KB
- MD5
  
  c7ce0e47c83525983fd2c4c9566b4aad
- SHA1
  
  38b7ad7bb32ffae35540fce373b8a671878dc54e
- SHA256
  
  6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
- SHA512
  
  ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  4ccc4a742d4423f2f0ed744fd9c81f63
- SHA1
  
  704f00a1acc327fd879cf75fc90d0b8f927c36bc
- SHA256
  
  416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
- SHA512
  
  790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
- SSDEEP
  
  192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score

3^/10
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  132e6153717a7f9710dcea4536f364cd
- SHA1
  
  e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
- SHA256
  
  d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
- SHA512
  
  9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
- SSDEEP
  
  96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ
Score

3^/10
behavioral11 behavioral12
- Target
  
  InterVpn/bin/InterVpn/3.exe
- Size
  
  2.2MB
- MD5
  
  310c47fc2621fba27cf40e8e36cbc309
- SHA1
  
  7803e69c337dd95ff2a9deac481900bee145be2f
- SHA256
  
  4b59beaf177c98e55c7d9823db670ff8cde45e8953cfc5147a96fdf09de15ace
- SHA512
  
  6a655bef5aad9bc86aee5b9a31c62a83d8d8fe7fe4d874bbc28e61c6c89255dd343cf6470c3e3545ed8b236d200937a47eabfe7cb3505842f3cce3fe2289b198
- SSDEEP
  
  49152:1MtCvUb973JNAL7ebYlEyOxvsvZbyTvuB77kYlPz:1O73JeL7e/avZbGs7777
Score

9^/10

discovery evasion spyware stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14
- Target
  
  InterVpn/bin/InterVpn/intervpn.exe
- Size
  
  2.1MB
- MD5
  
  2d382e4cb15523b31681fdc833532ede
- SHA1
  
  3a4a56e0133b858afbb05e2496d1b19c6729b8c4
- SHA256
  
  bbeb9eb45e5dfef3ae4eb42e009e1e420d01f5ecad3a715ecac4f357ef41df22
- SHA512
  
  3232521e26b8bf95db219655848ba0798180b057736f4660072c863c5f478b87e47a36c6dd13c90c48c38ee6cf7c7992d8e3244647c46f3dd42ca01baafa243a
- SSDEEP
  
  49152:N0e95YoXj5B8yVM/JAiJYa/ZEIkz7h6h3hgmbyv:Nj5YMjzVsWaCIE7khfu
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral15 behavioral16
- Target
  
  InterVpn/bin/InterVpn/qwesy.vbs
- Size
  
  126B
- MD5
  
  fdbd7d32368ea4853f5405f41b581c95
- SHA1
  
  8fde7d4aaa07860bc42f477b75e4065839dfe8cb
- SHA256
  
  0993886554b84d9c1633659e08da86a90a7da266e92aca15d5fa71ed9dd2589a
- SHA512
  
  db760f966ddc1a776efddbca7cdac79137c2afbd71c5263d5cb53e6ee8786969dbb024abfc9a15725fef6b4961710f687dfc4209f0cb1f8c55c9e36ed2aa3ecf
Score

8^/10
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
behavioral17 behavioral18
- Target
  
  InterVpn/bin/InterVpn/vruns.exe
- Size
  
  2.1MB
- MD5
  
  d011b64103258b914404530d269eaf04
- SHA1
  
  45344ab34550a06600940d913dbe669fc520f3ea
- SHA256
  
  0ef43634f9b97b0198757717a0bde79c7f3d3e2234811efef0da13664784f13f
- SHA512
  
  cada28be136d2d8dea87bfa95e7eb1268e73a5d121d97003c9f42003d882b9af38dce0fc73ce71c5709f4fbdfe676c475ca2d6d6aee91abaa4b35b8e284c92e3
- SSDEEP
  
  49152:t4uGtUOSJDg33id1dy4G2vn2cwgG9shhBYFNqc:euGylEid1dpv22ushvE
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20
- Target
  
  InterVpn/bin/liblzo2-2.dll
- Size
  
  170KB
- MD5
  
  748c9e77053d3dec8bf238ae9c56f2ca
- SHA1
  
  eb2d6b4c0188bbf9a587c46e4de30c6e72133153
- SHA256
  
  a14881455c37240928d4ed3d95c44181675f685bc201ea97733dff346c34d97f
- SHA512
  
  31b744a57105d122d2150b5ab793620b73dbc28788be8484fa682e1cf6857f01102034e220b63d5709f6baa44b547df94e2c8aad6b5124b91e105e42d258e40b
- SSDEEP
  
  3072:qFJHDA3pJjFczZLhvZVxxC98SVUrSlUCV7rSJk/LFEc:p3ZIwEc
Score

3^/10
behavioral21 behavioral22
- Target
  
  InterVpn/bin/libpkcs11-helper-1.dll
- Size
  
  109KB
- MD5
  
  63b23a24778f3ef27bd53afa3115f901
- SHA1
  
  49fcb47e8ab2dd180dbb946df580794890f5292b
- SHA256
  
  cc9ec9f9a54706d02f63cc4f46ca567812c1f0669451e94096f5358b00893be6
- SHA512
  
  bd7339e3911ab75ddf805555e0f59e65927f1539a5561b22456e25f3d1868fb42d89cd95eaa96c3335fef7d3ec2a21ff7c53f04961fedc5e374f43f4070df58c
- SSDEEP
  
  3072:iTkZbJ/CqOFvICeSPUbT3Xf0j4smxh9QQU7kVTAHluobjrHEN8gE:PaVVeXT3XfVxh9QQU7kVTAHluobjrHEQ
Score

1^/10
behavioral23 behavioral24
- Target
  
  InterVpn/bin/openssl.exe
- Size
  
  839KB
- MD5
  
  c83c031e79b4610f1ce6810c3af3e749
- SHA1
  
  60d327ae70ca7ddf93a5d14412be3b21493172c2
- SHA256
  
  90d258ea786e831b8089abf0d98c9a756f62d62b87a6b40f7da9c8881ea0b3cd
- SHA512
  
  49d274c5f4ccddda28751a1a6271888c32188a192b9ad9c224832b51af0b474225d75c6ac51e61438b7a9f956b1ba78fef7a5392759a3d38fc4ddd1d7772e464
- SSDEEP
  
  6144:BPkFXcecHYKlRvECAce+kTICfNE8+Gxafe4WvmlN2Zs5FEWBOOL/HADxU2w6trJs:BccgNSoeAA8wsJwkKBKibN
Score

1^/10
behavioral25 behavioral26
- Target
  
  InterVpn/bin/openvpn-gui.exe
- Size
  
  420KB
- MD5
  
  d60536a568fcfdbdf5ffc46c1e22e7fc
- SHA1
  
  7779b4ad53d6f162b11c22cfc0e6788c872a2979
- SHA256
  
  f0a19b073992899ba05b91317aa6522d36344eb0caf5dc09adc11c24e020fb92
- SHA512
  
  dab26e87d66d65e727733e16f3234585f44f8ebbf969c9fd20d4fc55a973820cecfb6218e1b5da98eecdae111473a839cab7b128687808676801bce25558c4c2
- SSDEEP
  
  3072:BM3+qI2lj15GL+RIfOARQw5e4oD6yDpYFG3d0+H2LbYDynkDt2an/8eVvscN2z/5:mhoCb4oKSzK6vyjdNtP
Score

1^/10
behavioral27 behavioral28
- Target
  
  InterVpn/bin/openvpn.exe
- Size
  
  710KB
- MD5
  
  cfd7d6bf137c7f68845fe771927201f0
- SHA1
  
  2bfb07e8d5f39a706cd47ae03deee7d2eb4303a0
- SHA256
  
  11d1d48f0994cde7b3bdd273d9bc35f3d5cac7783f75ef81bdd323fe88746f6e
- SHA512
  
  dfbad890037291a534da7c534b49ec70ecc9a044ee0d8508654696819d88b5b4845b81b2e1aecd5475dc62e0d9a0d1c147524c70940a4e96c4e1530e257758d6
- SSDEEP
  
  12288:Hlf0GQe7i+1XwxoKP36gS4koE+ujDoYIWCufSE3iTJ93krUFUmg8fegt:axtS4ko88CCufSE323krUFBg8fegt
Score

1^/10
behavioral29 behavioral30
- Target
  
  InterVpn/bin/openvpnserv.exe
- Size
  
  31KB
- MD5
  
  ad4eb6a3fb038c2e215bb06262d4009a
- SHA1
  
  9410b1d326a47b166e36d38436ef6fbb6bda572f
- SHA256
  
  778e25079650d094337df094f4c262528c7d983ead52194795b4b033c17686ae
- SHA512
  
  6dc640730a5724de687b805699e51595a1f08b16bc1596564b89cd580deee7478113a4296c3de677f96d4501f4f40a4e36d7d4c1f6993d4dbb7199b0e6edfa14
- SSDEEP
  
  384:jWZZlmdx9bg7uB2iqfs+xCVaqBCikOGeafT3s7fDWuMBDKBrjQF+CvST5tvDGbK0:jWrlmlbx2XOzAlfra8BD43uwDGbKg1v
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32