cryptbot | b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

2.2MB
MD5

b5861c96767caed4fce1473ac338d1bf
SHA1

c9575e657706a01a28aa63943f39018377a5dfe1
SHA256

883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512

388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240
SSDEEP

49152:IYgNe1kDmRGkWDDWaBZmnr+KHhhg9EKDYhKk:IHahRGh7ZmxHhNKDYhKk

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

biss01.info

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Setup.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

1416 Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Setup.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine	Setup.exe

flow	ioc
7	ip-api.com

pid	process
1416	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3228 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup.exe

pid process

1416 Setup.exe
1416 Setup.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Setup.exe

pid process

1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe
1416 Setup.exe

pid	process
3228	timeout.exe

pid	process
1416	Setup.exe
1416	Setup.exe

pid	process
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe
1416	Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Setup.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 388	1416	Setup.exe	cmd.exe
PID 1416 wrote to memory of 388	1416	Setup.exe	cmd.exe
PID 1416 wrote to memory of 388	1416	Setup.exe	cmd.exe
PID 388 wrote to memory of 3228	388	cmd.exe	timeout.exe
PID 388 wrote to memory of 3228	388	cmd.exe	timeout.exe
PID 388 wrote to memory of 3228	388	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\EaFfiqGwK & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3228

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EaFfiqGwK\47283761.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\EaFfiqGwK\8cnU6PmRQciCR3q.zip
Filesize
46KB

MD5
0b796519409b73b6bdd1cb421acde0a6

SHA1
af8943e5a87e369fb079dd1917cb3aa6962cb333

SHA256
9bbd45740464c5b86dd27e5c5cfcb5725f4c3a07212941757d37500900cd9003

SHA512
25a5de1aa3e01fa9499ffc4c917cf8104b7e57231675df234512ec37ac0aa6b47dcfe4467b0c8d64c4d99a848064b87801cff6c1e337ad4ac6550b038770a572

Download Submit
C:\ProgramData\EaFfiqGwK\Files\_Info.txt
Filesize
1KB

MD5
57067224c52e8b02994cf327b5b60921

SHA1
97f47dd9d705720f54341089927dc0d8aadc5943

SHA256
b8afc4aada19456afa50810beee9dcda8a2991ec5e4e4bd27ad3e057e9965445

SHA512
7e597152b7d216b2c9014631768a872404468b82198167ad9c11cc11652ad1799c37619269a8fc63f95b029208ec169f3555a6555881128b7037da644f8dfe81

Download Submit
C:\ProgramData\EaFfiqGwK\Files\_Info.txt
Filesize
8KB

MD5
e636ce22853661b180676b3f8a97874b

SHA1
8cb420f15cd579eca5f1ffe3e7644623fa558e38

SHA256
a92983d09cc760431071482352bf54fdf1ce42a36a34d51a2ec8a1536c994c87

SHA512
5cdbfb1a174320033644e77b14af039e872e1d1c7a9fd97bfbd542811922317bea203edad7041d121ff18f04584f86f2cf4d7b39887717305c44fdb5d601d7a6

Download Submit
C:\ProgramData\EaFfiqGwK\Files\_Screen.jpg
Filesize
51KB

MD5
25cc179e0d45d9ee0de392655451d24a

SHA1
1a644bccbb1ab5313468815b902cca921b32a73a

SHA256
045890f8f864d7ea2b2a1509959676af7c10e5ad39b7195b5e27a86f5676d907

SHA512
df1d27141956296698a7445552db9fc1c6de8081db0cb55b74f1c0d71cd3b16d684aec0030693b002e44178bf8f0a50a1c827ef92b250a2cecbe4fb455b90b2d

Download Submit
C:\ProgramData\EaFfiqGwK\MOZ_CO~1.DB
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/1416-157-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-162-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-17-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-20-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-13-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-4-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1416-7-0x0000000001001000-0x0000000001060000-memory.dmp

Filesize
380KB

Download
memory/1416-145-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-152-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-153-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-155-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-5-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/1416-0-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-158-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-160-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-16-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-164-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-167-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-170-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-173-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-176-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-179-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-182-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-185-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-188-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-190-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-193-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-195-0x0000000001000000-0x000000000154F000-memory.dmp

Filesize
5.3MB

Download
memory/1416-3-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1416-1-0x0000000076F94000-0x0000000076F96000-memory.dmp

Filesize
8KB

Download