cryptbot

General

Target

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc
Size

3.8MB
Sample

240615-wqxamstdnq
MD5

4ecd0ac0f9b8d6115f76077b6838340c
SHA1

bb108e7eff22db0dc2010e70718cbaf034d076e5
SHA256

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc
SHA512

fd0251043ede3bc9f25eec724992362dd55efe6be00520c4baa330409e666bb104047556461ce5258a9d8a7e6fb79c70555f8e429741334c5146a7b446cf7009
SSDEEP

98304:k+mwYjViFrjl6wcODej0cNMynr+HKXMZeNLC8:2w2wlj20cN3rwKwk

Score

10^/10

Malware Config

Extracted

Family

cryptbot

C2

vetiir14.top

moriiikk04.top

Targets

- Target
  
  00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc
- Size
  
  3.8MB
- MD5
  
  4ecd0ac0f9b8d6115f76077b6838340c
- SHA1
  
  bb108e7eff22db0dc2010e70718cbaf034d076e5
- SHA256
  
  00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc
- SHA512
  
  fd0251043ede3bc9f25eec724992362dd55efe6be00520c4baa330409e666bb104047556461ce5258a9d8a7e6fb79c70555f8e429741334c5146a7b446cf7009
- SSDEEP
  
  98304:k+mwYjViFrjl6wcODej0cNMynr+HKXMZeNLC8:2w2wlj20cN3rwKwk
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot payload
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

CryptBot payload

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2