cryptbot | 3d0c53b85d752355b9185c5d43a96dc028f2a56e73fb3358dc6a7f0882329e4e

Analysis

max time kernel
158s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

2.2MB
MD5

4ae318b79250c2969d663dee668f3a27
SHA1

57e5cd1eef257683efc4f82c369739621d8299ce
SHA256

753af3a9e8f98e03f71c700d6913933962a3510ffefb97cd57ccbc20991a98a4
SHA512

a925d50a05e423533a0aec8f552af0e6f55dd3c116bfbbd6ac49ae6c3dd6acd0641ca3dca70499f22a54860c2374f26c2a807f380475290220f74e53c9bf8aab
SSDEEP

49152:JgEDGPCdUgDPLBOLkqZKqwC7s4FHPIr7DhJDwKQLb:DDcC7PLBpEKqV7HdyrDef

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

tuytee16.top

moriiikk08.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 22 IoCs

Processes:

resource	yara_rule
behavioral14/memory/4064-6-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-7-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-8-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-9-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-10-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-13-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-14-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-119-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-223-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-225-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-226-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-228-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-230-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-233-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-237-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-240-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-243-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-246-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-249-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-252-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-255-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot
behavioral14/memory/4064-262-0x00000000006F0000-0x0000000000C20000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine 1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1.exe

pid process

4064 1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	1.exe

pid	process
4064	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

4064 1.exe
4064 1.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exe

pid process

4064 1.exe
4064 1.exe

pid	process
4064	1.exe
4064	1.exe

pid	process
4064	1.exe
4064	1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qJONW44y\A8Kod05EyX8r.zip
Filesize
252KB

MD5
2de7e110ac3ead83e8a82b0f70190853

SHA1
50f65acf319e8c2525cb8d8585b65c70bb03839f

SHA256
16ab2d4965d84cece967d105e6b014b2c6df47de80424bc87c09df27db163541

SHA512
c4b96d428bbf448e58d2bead0e229a722ff51cb67b0144777d609ad45782b3428b026b6330e5a33e778010430cd128fab33ed953c8775b7687c03c20621942d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJONW44y\_Files\_Files\OutRestore.txt
Filesize
208KB

MD5
5122aaf43b327229ebb3082972f1b5ca

SHA1
da82ab8ea98a673d7417885b6577a46402fabacf

SHA256
bf53a60320b7a7c19019013ad73084023d47ddd95cd507295a3e0e0d4a5b564a

SHA512
f9b6ea25da1e344609e432ed73263ad63fe37b1716d6f20b3bf56c94349b6338557e7974bc0af9b4618ef6b316b3236773eb4b824e52206030528beaba57d247

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJONW44y\_Files\_Information.txt
Filesize
7KB

MD5
0a3769750981d1148b82367aa77012bd

SHA1
aedb60ee3ccd372d145557798766a3bdd47ae2d2

SHA256
be34c0776c4a9cb77e9e9dcc11b12de9544b4ce72e33cc5ea60bf0fed51dffd6

SHA512
dfe8860a5b62964c2b4b8981a8bf13ef360def4968c3757b0f2b4c03b30fdafeb929066d372538a94cb27de6b9340bbee7dc0d238f02041c9aaf9f9205ca4349

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJONW44y\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
d51ff326154a2cb28d8dcbe3a184df7d

SHA1
9e34f0ebaa7c3c9ec47d4651eee4686bea8b85e6

SHA256
7269a546bdeda75d475355f2852953cd215d305e21c8e16554df00965c0945d4

SHA512
87834559b14b383a7acfe8b746f717f19c9808ad0bafb556d15ebd6b599614b1ad8682f8a41f4256dcd7bb613ecd5605bb6e40dbedf36bd4aa2c99829df5246b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJONW44y\files_\system_info.txt
Filesize
1KB

MD5
4eb55b9eac5a4f4b7a370834118b14df

SHA1
2bc5eb3931e27fc3057b76820be0f5a44335dc22

SHA256
fd18ea568160e6a96d343f1a1ef9ae3453451fc5ac07c0404ab9d12c497d7e8e

SHA512
144aaeb482fcbcf87f1af3c1b7fb3f9b4d9927d1e00af35187a858e8647aaef162d98e59fb32524ed2bf43540e377b891b80f49876aa696ed581f7156c3cd405

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJONW44y\files_\system_info.txt
Filesize
4KB

MD5
2002032fa274a4b78a8fa4f635ff452d

SHA1
7ec50a7534e6613f40141f7c43af4a2fbe2f7e46

SHA256
3a9b55e90db984d37772494bd8b49980ea468e8cfe1721b2644a85580c4a86b1

SHA512
c10b98ffdd555f1f3c22521a4d7572b62300b61c794af6c7deb6e95cb5d670e102bd3c3b526b88b53a2e543d5c70adf6cbecda6dabd1836fb81c2785e7b7fb08

Download Submit
memory/4064-225-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-252-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-8-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-9-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-10-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-13-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-14-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-5-0x00000000006F1000-0x000000000074C000-memory.dmp

Filesize
364KB

Download
memory/4064-119-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-2-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4064-0-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-3-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4064-262-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-7-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-1-0x0000000077DA4000-0x0000000077DA6000-memory.dmp

Filesize
8KB

Download
memory/4064-226-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-228-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-230-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-6-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-233-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-237-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-240-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-243-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-246-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-249-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-223-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-255-0x00000000006F0000-0x0000000000C20000-memory.dmp

Filesize
5.2MB

Download
memory/4064-4-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download