cryptbot

Sharing

Copy URL

Twitter E-mail

General

Target

74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d
Size

4.5MB
Sample

240624-k4msksvclh
MD5

17caf50a89e0ca1e1e3e85cf7b14c509
SHA1

b4703fe095593e0978964c64db00cc142a0c672b
SHA256

74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d
SHA512

6acc0627291e232e89e5f2b8db73550e134d8cf7c217c4ab55fee1293f9c01537f9d8e13b05c0fa6e6e4143e7de35bdda754b6706ee6cf0be655be9392bd119e
SSDEEP

98304:z27lsFWcG7V95lWEw58NQM8mxozibMW+kt1bPaf1FA1kOf2fBPxO41EEqCI4:zSjvV95oEGoQM8mezibMmdatTO61EEqC

Score

10^/10

Malware Config

Extracted

Family

cryptbot

verf04.info

Targets

- Target
  
  74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d
- Size
  
  4.5MB
- MD5
  
  17caf50a89e0ca1e1e3e85cf7b14c509
- SHA1
  
  b4703fe095593e0978964c64db00cc142a0c672b
- SHA256
  
  74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d
- SHA512
  
  6acc0627291e232e89e5f2b8db73550e134d8cf7c217c4ab55fee1293f9c01537f9d8e13b05c0fa6e6e4143e7de35bdda754b6706ee6cf0be655be9392bd119e
- SSDEEP
  
  98304:z27lsFWcG7V95lWEw58NQM8mxozibMW+kt1bPaf1FA1kOf2fBPxO41EEqCI4:zSjvV95oEGoQM8mezibMmdatTO61EEqC
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  bf712f32249029466fa86756f5546950
- SHA1
  
  75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
- SHA256
  
  7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
- SHA512
  
  13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
- SSDEEP
  
  192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/UAC.dll
- Size
  
  14KB
- MD5
  
  adb29e6b186daa765dc750128649b63d
- SHA1
  
  160cbdc4cb0ac2c142d361df138c537aa7e708c9
- SHA256
  
  2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
- SHA512
  
  b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
- SSDEEP
  
  192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  4KB
- MD5
  
  c7ce0e47c83525983fd2c4c9566b4aad
- SHA1
  
  38b7ad7bb32ffae35540fce373b8a671878dc54e
- SHA256
  
  6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
- SHA512
  
  ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  4ccc4a742d4423f2f0ed744fd9c81f63
- SHA1
  
  704f00a1acc327fd879cf75fc90d0b8f927c36bc
- SHA256
  
  416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
- SHA512
  
  790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
- SSDEEP
  
  192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score

3^/10
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  132e6153717a7f9710dcea4536f364cd
- SHA1
  
  e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
- SHA256
  
  d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
- SHA512
  
  9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
- SSDEEP
  
  96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ
Score

3^/10
behavioral11 behavioral12
- Target
  
  Notepad2.exe
- Size
  
  693KB
- MD5
  
  b60d390ba42c0109ee38de2e0ca56e1a
- SHA1
  
  735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
- SHA256
  
  9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
- SHA512
  
  97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
- SSDEEP
  
  12288:6tmI4blkGgFigjLHnrX96Uym8EXwTfEIVXxuFNOFwXi4tjp:6tUtgI2LLX96E8EXwICgKwXi4tjp
Score

1^/10
behavioral13 behavioral14
- Target
  
  Two.vbs
- Size
  
  120B
- MD5
  
  dce4476454d12f8906cfa1db72722e2d
- SHA1
  
  4437a74ae0fcf7a4a636c04b7c0b80880871816a
- SHA256
  
  53908a91a2c298fcfd2cd278d4e273ecd55a3b5c81f10775307352aca5e211e8
- SHA512
  
  5a13b419813e768be03069332d3f655609221391b7faab5ed8c90ea57a7a26861ed0b5a256619ce9b8e62579e9e3ef9b0e8a37d6a688cb3795c62ea8cd55786f
Score

8^/10
- Blocklisted process makes network request
behavioral15 behavioral16
- Target
  
  patch.exe
- Size
  
  2.1MB
- MD5
  
  5da43c1e12289a6ee23c690404359d32
- SHA1
  
  d20ddb31c9c1c7c9bfd2c77890fb13608aac2c42
- SHA256
  
  554d5c274a401ab86387b8feadaa30f95b9bfa5873434b7592a96b932aebc025
- SHA512
  
  4a51da8e684688ce08a9bfc9ce1107ce30865fb171770269402bfa07df35a4db3eb79a8e54892855f1867f995691b5d52591971b8befb5870b9aa22945a40763
- SSDEEP
  
  49152:wUUbht1m5u70uMqCOEXDq7imBnb77ZCVqhQI171hxlwB:vUt1mpyp8Xa77ZQK7Rl
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral17 behavioral18
- Target
  
  setup.exe
- Size
  
  2.1MB
- MD5
  
  3657f6fadee899005c6556c07a890bba
- SHA1
  
  bb532f5420c5baacb7b19f508ec29440135c3c74
- SHA256
  
  0ab71f45b1e9c6f5eba7ce76b31285a18e7a2851870e551b6aa3dbd8cd756aae
- SHA512
  
  3158f42fc30ee5425a252dd976c0d3634b1df124cf364c5790071677e33082343be4f117f05c8cc725cfd566f87229c4d2fdd235849b1b34b13d9a7285324068
- SSDEEP
  
  49152:/GxbKmg8Yvmx2jy1u9HWS8XCtMgdm4CnP22FbN7fwqGV7RkV:edKnmxujcStMkmxbFbN7w7C
Score

10^/10

cryptbot discovery evasion spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Blocklisted process makes network request

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20