cryptbot | 8d321c9812c60b1b23a5103e408031bd856b78cd9c3bca192c7cc8dd8251e9f4

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

2.6MB
MD5

e1188dcf1d263848bbc3a9e0e000fa5d
SHA1

30ec0f03ff134f6835e5a1f9ac50d2f1f203f3b9
SHA256

143baeea153f94dec6b4ae148ce7f7db97b1aa8d034803a945e069143504263e
SHA512

021f52ab015eabe04443efe38d848760d971352a422c93ead6ca15566d377e015ff16decd45c62047eeaf76a13959956127d4763b59190d777e8d6249f3b6adf
SSDEEP

49152:cvm6WWeedeXKl+GlMfZDebimoMpgeAwXYjb/D652jYdJT0:4mVWVfl+GqZDBmoDU9bT

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 15 IoCs

Processes:

resource	yara_rule
behavioral14/memory/32-218-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-221-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-222-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-225-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-228-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-232-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-234-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-237-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-241-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-244-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-249-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-252-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-255-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-258-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot
behavioral14/memory/32-260-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp	family_cryptbot

Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exe

pid process

32 1.exe
32 1.exe

pid	process
32	1.exe
32	1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:32

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xxSpeOCjcYz7\JpQb01aExLxqc.zip
Filesize
42KB

MD5
417f7f38d70d71292ff34daa32e9f32d

SHA1
0de186a2e9b1307a3798e551960a19f7d3c95ff7

SHA256
7851a29bffbd21198995915a0052cb8d8d5dc1af6c7b25999a8e9721b7391625

SHA512
789027b760f71fe1a9ff5b9600f90a2a616d8e7933aebf3059fbaa7748f040695792dcf86182f1b62ca3d484977e42828b79d718a56985bab3c958cd9e1958fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxSpeOCjcYz7\WNQEG2of.zip
Filesize
42KB

MD5
78946cda6f709a1a4eb331084702e2b1

SHA1
c436eb8258893fbc9676f4f544227ada6bc40bbf

SHA256
48dbefdc49ca0e971290f6595f30b450037f4bc6e27caabd9b0acfb23a04bbaa

SHA512
50423412cc65b56a1229b11a8705e53d92e31b1ea6216e60df37003027acc6801fd3779ddace374790101b23ca290f32992e33f1d7b95c53b77edf04bc8f15ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxSpeOCjcYz7\_Files\_Information.txt
Filesize
5KB

MD5
dc3b3e3758d95c21d7f83bdb964d5113

SHA1
f05d77d33095b90ecf7bb97aa6b867cb82a5e806

SHA256
8f7c2d47d7ea0764478adf59be3524237e27801f7d0725bacfa307e762c95556

SHA512
ba3e03f5ef2491172badf92ce7f5d9d8914fa8a01905124984b4dbafb1b5695ea6e657aed523f6af8c2ff80792a8ca3aef248fbe7bdecc03cbe659ff01aca704

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxSpeOCjcYz7\_Files\_Screen_Desktop.jpeg
Filesize
48KB

MD5
50ad18f06efffa2b608a0ec5fbb0ffa2

SHA1
752fe10231b6b7d1a2476344ffc518253e1efd0b

SHA256
d01620015830ff2bdc8cc23fa23e6f01df7e1b183302b15e9a56860d94eb73b0

SHA512
18c1b99b70864e26199026b4fab3c00076e604c70806980c1eb007bfb8d7cc5ae7ec8c1fc272b912278ca4ff7a35830a4ad188472c3c1de665cc0580de4ee9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxSpeOCjcYz7\files_\system_info.txt
Filesize
656B

MD5
5e7367b0af3830e3b2c5abe10d3bf564

SHA1
3f88ff04bbfeea0f50f6457a7752df264afb138a

SHA256
9b0513665c40ab5333246788fed653897f4b3b02b0d31246352d87287e38c739

SHA512
8d85134090bb9e671cf1876768b3ef0c49bc9cf757e0b778e26bd366cbd2544685d43500e1186aeaa2f94b70d4b90a914e604389a35eb6b4a3cb0478bdd5dd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxSpeOCjcYz7\files_\system_info.txt
Filesize
7KB

MD5
0610369cf1df3973875d1a12080ad806

SHA1
5c29c8e87190cb9e8534bdcb6d4052ca4e79b5fe

SHA256
2af83513ccd5cad518a78ea6b42aedb16479ffdfe97437c508f5748d79c0f535

SHA512
215b88f4bb084de1865bb0c111fe5d2ddfcf93ac208989e2606c056f7e4791228ac1846d8e1e6317421f7306349eebedfc4454b949041b7b4ebe308cc8e6806b

Download Submit
memory/32-225-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-241-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-221-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-222-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-0-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-228-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-232-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-234-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-237-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-218-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-244-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-249-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-252-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-1-0x00007FFE55970000-0x00007FFE55972000-memory.dmp

Filesize
8KB

Download
memory/32-255-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-258-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download
memory/32-260-0x00007FF6E0E30000-0x00007FF6E14DB000-memory.dmp

Filesize
6.7MB

Download