cryptbot

Sharing

Copy URL

Twitter E-mail

General

Target

79d775433be505a57ae175f5e6f427af_JaffaCakes118
Size

4.5MB
Sample

240527-vky2lsba31
MD5

79d775433be505a57ae175f5e6f427af
SHA1

32b9ac8255c3076841e658eabe581586ecdd8c8b
SHA256

b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91
SHA512

2c74529531c163ba9f768bf9aae97464aa5ddf2935c4085eb80d372a4e15d853bdfa46fc616b7b9b2e30730f4a484dfe3ba8b64188a3921faca589ffd379e7f7
SSDEEP

98304:GAUlwbKKobLmzt3iOah1NBR595arTOLQZsxpzYazTd9e:GjCzViOSNL590r6Lys/zYuO

Score

10^/10

Malware Config

Extracted

Family

cryptbot

biss01.info

Targets

- Target
  
  79d775433be505a57ae175f5e6f427af_JaffaCakes118
- Size
  
  4.5MB
- MD5
  
  79d775433be505a57ae175f5e6f427af
- SHA1
  
  32b9ac8255c3076841e658eabe581586ecdd8c8b
- SHA256
  
  b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91
- SHA512
  
  2c74529531c163ba9f768bf9aae97464aa5ddf2935c4085eb80d372a4e15d853bdfa46fc616b7b9b2e30730f4a484dfe3ba8b64188a3921faca589ffd379e7f7
- SSDEEP
  
  98304:GAUlwbKKobLmzt3iOah1NBR595arTOLQZsxpzYazTd9e:GjCzViOSNL590r6Lys/zYuO
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  bf712f32249029466fa86756f5546950
- SHA1
  
  75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
- SHA256
  
  7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
- SHA512
  
  13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
- SSDEEP
  
  192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/UAC.dll
- Size
  
  14KB
- MD5
  
  adb29e6b186daa765dc750128649b63d
- SHA1
  
  160cbdc4cb0ac2c142d361df138c537aa7e708c9
- SHA256
  
  2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
- SHA512
  
  b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
- SSDEEP
  
  192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  4KB
- MD5
  
  c7ce0e47c83525983fd2c4c9566b4aad
- SHA1
  
  38b7ad7bb32ffae35540fce373b8a671878dc54e
- SHA256
  
  6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
- SHA512
  
  ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  4ccc4a742d4423f2f0ed744fd9c81f63
- SHA1
  
  704f00a1acc327fd879cf75fc90d0b8f927c36bc
- SHA256
  
  416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
- SHA512
  
  790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
- SSDEEP
  
  192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score

3^/10
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  132e6153717a7f9710dcea4536f364cd
- SHA1
  
  e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
- SHA256
  
  d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
- SHA512
  
  9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
- SSDEEP
  
  96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ
Score

3^/10
behavioral11 behavioral12
- Target
  
  $PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/addtap.bat
- Size
  
  114B
- MD5
  
  ebb2c28da7de8436995509782ac63c4c
- SHA1
  
  7d693538baa80ce6938f0400bdc16f9b035baee9
- SHA256
  
  effe5c5c2cf6547a54f987fef6f052a234770b4fcfae277cf6089daa896bcd5f
- SHA512
  
  021098b1d9f4b987b85be073bc1a6a7ee3336c88d54770d64fc77b74ca74ec459f89fbd65a6fba3efa4f6da7cc852784e9ea391189831f565d64e65a437fc7f5
Score

1^/10
behavioral13 behavioral14
- Target
  
  $PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/deltapall.bat
- Size
  
  177B
- MD5
  
  70850be8dc81d8f8c36da0e754df0a46
- SHA1
  
  fe7766e67239e26f6cee866cb9a93341e33f0e4d
- SHA256
  
  1be66390df9e302b38553432731a244e65f745d31e6424c88091326fb3ea92d7
- SHA512
  
  f15a3ce91ceb663a0369054e06647471591ba54ed40e0f6dd549069a0c4e30aefd590c9a18a90d80d35af4fcd45e49d89a259606cf7ee23fa976c61f88a0066b
Score

1^/10
behavioral15 behavioral16
- Target
  
  $PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/devcon.exe
- Size
  
  80KB
- MD5
  
  3904d0698962e09da946046020cbcb17
- SHA1
  
  edae098e7e8452ca6c125cf6362dda3f4d78f0ae
- SHA256
  
  a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
- SHA512
  
  c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
- SSDEEP
  
  1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
Score

1^/10
behavioral17 behavioral18
- Target
  
  $PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/tapinstall.exe
- Size
  
  85KB
- MD5
  
  bc2eb9be84d65e600bb4baebfc0d6c74
- SHA1
  
  dffa04b9399b8742e1536c5942b43df58a42980a
- SHA256
  
  5c6aae8c345e5eda7185cabafcf9270ef3d73f198290842654d8916f8321b150
- SHA512
  
  ae382b3aac40e17f5daa4d952d85656d29791f857a97de91197c85049e31cef924723875c6616f598696445bea967788c89cfdb7cd35ed772bce3d6a1fd71e7b
- SSDEEP
  
  768:AeFpBuMKzLkfKI4hHZv4zS5bhkt4JlX82BSOe9oKSJ2SLD0BEZWk3zoMrrKgp:TBuMN4VFESvkt4nXF4O7WcBvT
Score

1^/10
behavioral19 behavioral20
- Target
  
  $PROGRAMFILES/Ferr/SEDA/TAP-Windows/driver/tap0901.sys
- Size
  
  22KB
- MD5
  
  f49967c396969b71c3a72537db03a68b
- SHA1
  
  f59d3a5d2afd85fbb9fb36f1411c767be2bf96cf
- SHA256
  
  3b1ff5252012d6e8a7dd6e4621ec43812510dca1a25a9a2e07288800f445dd41
- SHA512
  
  cda4269b5a13e573469b3e3a75432117079c65279e06322519af704a80862e43bceb4cc9d6352dd19db00bb10d10f64b02eee6c5dc29f56fa5f99c89823a62e3
- SSDEEP
  
  384:NumNz7O8/AvUAvm/wMWJ4pdsfH1aJhjJvjiissrisprwEYBu:QmNxAYB9zKal75pwZBu
Score

1^/10
behavioral21 behavioral22
- Target
  
  Setup.exe
- Size
  
  2.2MB
- MD5
  
  b5861c96767caed4fce1473ac338d1bf
- SHA1
  
  c9575e657706a01a28aa63943f39018377a5dfe1
- SHA256
  
  883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
- SHA512
  
  388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240
- SSDEEP
  
  49152:IYgNe1kDmRGkWDDWaBZmnr+KHhhg9EKDYhKk:IHahRGh7ZmxHhNKDYhKk
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral23 behavioral24
- Target
  
  Setupres.exe
- Size
  
  2.1MB
- MD5
  
  c9638374b6732d9756d9a6ae50061747
- SHA1
  
  7952f8225a6cf692ce226bfaf8112260e4ac2b71
- SHA256
  
  34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
- SHA512
  
  428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa
- SSDEEP
  
  49152:aVoRLzxlaVuzaroTCjia+Hii9UNbqL2JTVWAcuoli:aWR/aczaroeE9785WZzg
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral25 behavioral26
- Target
  
  ipras.vbs
- Size
  
  126B
- MD5
  
  b802ff9244875f69db2fae0f78e92b10
- SHA1
  
  49385a89cd575894a29fbda969b99cc1f5cf8076
- SHA256
  
  a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
- SHA512
  
  609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
Score

8^/10
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
behavioral27 behavioral28
- Target
  
  ssleay32.dll
- Size
  
  370KB
- MD5
  
  50a26f0247c1321fd19c0981337fbde8
- SHA1
  
  9cdd51843bd7694da571e0a6cd7350aa494f9ac3
- SHA256
  
  24235653e41540567bca708e0d5ef02034f88940eeedcd480167a00dd1250656
- SHA512
  
  440cf92524e21e9dc1d92f45a8fbd566f0eeec597e0f52a235847879bdd4806ac219b592aaec9976620082b2d8d5690d432e1a45b0df035b18404453530855d9
- SSDEEP
  
  6144:AlvshwnbLc7xRpLIOmvsD4gZAEMM06I5sF51L103WiV8JV+OPG/JVNr5qNRyZtrA:Al0LuEMM06IGF5UmiqJpPOp/cVmXEfcc
Score

1^/10
behavioral29 behavioral30

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30