{"id":4206,"date":"2023-01-26T01:55:00","date_gmt":"2023-01-26T01:55:00","guid":{"rendered":"\/cybersecurity-blog\/?p=4206"},"modified":"2023-03-02T07:50:10","modified_gmt":"2023-03-02T07:50:10","slug":"cryptbot-infostealer-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/","title":{"rendered":"CryptBot Infostealer: Malware Analysis"},"content":{"rendered":"\n

We recently analyzed CryptBot, an infostealer detected by the ANY.RUN online malware sandbox<\/a>. 
<\/p>\n\n\n\n

Through our research, we collected information about MITRE ATT&CK techniques used by this malware. We also learned about how this infostealer stores and encrypts its configuration information, and we wrote a Python script to extract the configuration. 
<\/p>\n\n\n\n

Let\u2019s go over the whole process step-by-step.<\/p>\n\n\n\n

Brief description of CryptBot malware <\/h2>\n\n\n\n

CryptBot is an infostealer targeting Windows operation systems that was first discovered in the wild in 2019. It is designed to steal sensitive information from infected computers, such as credentials for browsers, cryptocurrency wallets, browser cookies, credit card information, and screenshots of the infected system. It is distributed through phishing emails and cracked software.<\/p>\n\n\n\n

\"CryptBot<\/figure>\n\n\n\n

CryptBot dynamic analysis in a malware sandbox<\/h2>\n\n\n\n

During the analysis we’ll take a look at the sample:<\/p>\n\n\n\n

MD5: 12d20a973f8cd9c6373929ae14efe123
URL: https:\/\/app.any.run\/tasks\/5c6e7021-f223-495c-a332-21ef1276e4cf <\/a><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

A single process (Fig. 1) is created when the malware starts, which actively uses the file system (15k+ events) and the registry (2k+ events).
<\/p>\n\n\n\n

\"CryptBot\u2019s
Fig. 1 \u2014 CryptBot\u2019s process <\/figcaption><\/figure>\n\n\n\n

Ok, now that we got the basics out of the way, let\u2019s break down this malware and list all of the techniques it uses. We\u2019ll break sort the information by technique as we go from here.   <\/p>\n\n\n\n

Credentials from password stores: credentials from web browsers (T1555.003)<\/h3>\n\n\n\n

CryptBot steals information from popular browsers \u2014 Chrome, Firefox, and Edge, as the “Actions looks like stealing of personal data” indicator (Fig. 2) and “Reads browser cookies” indicators tell us:
<\/p>\n\n\n\n

\"CryptBot
Fig. 2 \u2014 CryptBot steals Firefox data
<\/figcaption><\/figure>\n\n\n\n

To detect access to personal data stored in the browser, we can use the pseudo-signature:<\/p>\n\n\n\n

process_name NOT (\u201cchrome.exe\u201d, \u201dfirefox.exe\u201d, \u201cmsedge.exe\u201d, \u201copera.exe\u201d)\nAND\nfile_access (\n%LOCALAPPDATA%\\\\MICROSOFT\\\\EDGE\\\\USER DATA\\\\*,\n%APPDATA%\\\\Roaming\\\\Mozilla\\\\Firefox\\\\*,\n%LOCALAPPDATA%\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\*\n%LOCALAPPDATA%\\\\AppData\\\\Local\\\\Opera Software\\\\Opera Stable\\*\n)<\/code><\/pre>\n\n\n\n
Software discovery (T1518)<\/h3>\n\n\n\n
CryptBot checks the presence of installed software in the system by going through the “Uninstall” registry tree (Fig. 3):<\/p>\n\n\n\n
<\/p>\n\n\n\n
\"CryptBot
Fig. 3 \u2014 CryptBot searches for installed software
<\/figcaption><\/figure>\n\n\n\n
To detect an attempt to access the list of installed software, we can use a pseudo-signature:<\/p>\n\n\n\n
reg_key is (\u201cHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\u201d)\nAND\noperation read<\/code><\/pre>\n\n\n\n
System information discovery (T1082)<\/h3>\n\n\n\n
The malware collects system information, including operating system installation date, computer name, key, CPU information, and this behavior triggers the corresponding indicators (Fig. 4):<\/p>\n\n\n\n
\"CryptBot
Fig. 4 \u2014 CryptBot collects system information<\/figcaption><\/figure>\n\n\n\n
It is possible to detect the collection of system configuration information by accessing certain registry keys. For example, reading the system installation date can be detected by the following pseudo-signature:<\/p>\n\n\n\n
reg_key is (\u201cHKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\u201d)\nAND\nreg_name is (\u201cINSTALLDATE\u201d)\nAND\noperation read<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Application layer protocol: web protocols (T1071.001)<\/h3>\n\n\n\n
CryptBot sends the collected OS information and personal data to the control server, which we can see in multiple connection attempts (see Figure 5):<\/p>\n\n\n\n
\"CryptBot
Fig. 5 \u2014 CryptBot attempts to send data to the control server
<\/figcaption><\/figure>\n\n\n\n
We can detect attempts to connect to the C2 server with the following pseudo-signature:<\/p>\n\n\n\n
network connect\nAND\n(\ndomains are (\u201csginiv12[.]top\u201d or \u201cbytcox01[.]top\u201d)\nOR (ip == \u201c23[.]217.138.108\u201d and port==80)\n)<\/code><\/pre>\n\n\n\n
Additionally, we investigated the content of the network stream and detected that the data is sent through the HTTP protocol, using a POST request with an attached file (see Fig. 6). Having restarted the malware several times we found that the file name is most likely randomly generated. However, the request is always sent to the “gate.php” page.
<\/p>\n\n\n\n
\"Malware
Fig. 6 \u2014 Malware sends information to the control server
<\/figcaption><\/figure>\n\n\n\n
Potentially malicious traffic is also detected in the results of the Suricata (see Fig. 7):<\/p>\n\n\n\n
\"Potentially
Fig. 7 \u2014 Potentially malicious traffic detected by the Suricata rules<\/figcaption><\/figure>\n\n\n\n
Let’s create a pseudo-signature to detect CryptBot in the traffic:<\/p>\n\n\n\n
network send\nAND\nhttp_verb is \u201cPOST\u201d AND location is \u201cgate.php\u201d\nAND\nhttp_content includes (\u201cform-data\u201d, \u201cname=\\\u201dfiles[]\\\u201d\u201d, \u201cfilename\u201d)<\/code><\/pre>\n\n\n\n
Analyzing the contents of the transmitted file gives nothing of interest, since it is probably encrypted.<\/p>\n\n\n\n
Data staged: local data staging (T1074.001)<\/h3>\n\n\n\n
1. Preventing re-runs<\/h4>\n\n\n\n
When we launch the malware for the first time in the “%APPDATA%” directory an empty directory-marker “0D445946B53E9551” is created (Figure 8). This directory allows the Malicious software to determine whether it has been launched before. If the CryptBot is restarted, it will stop working immediately.<\/p>\n\n\n\n
\"Marker-directory
Fig. 8 \u2014 Marker-directory 0D445946B53E9551
<\/figcaption><\/figure>\n\n\n\n
Let’s make a pseudo-signature to detect the creation of the marker directory:
<\/p>\n\n\n\n
action create_directory\nAND\ndirectory_name is (\u201c^%APPDATA%\\\\[A-F0-9]{16}$\u201d)<\/code><\/pre>\n\n\n\n
2. Storing collected data<\/h4>\n\n\n\n
Collected information is stored in temporary files in various formats (sqlite, binary, text) in the %TEMP% directory (Fig. 9):<\/p>\n\n\n\n
\"Temporary
Fig. 9 \u2014 Temporary files in the %TEMP% directory
<\/figcaption><\/figure>\n\n\n\n
For example, in Fig. 10 we see the content of one of the created temporary files, where information about the stolen logins and passwords is stored in Base64 format. Note that the data also includes a website to which each login-password pair corresponds:
<\/p>\n\n\n\n
\"The
Fig. 10 \u2014 The contents of the files with the collected information
<\/figcaption><\/figure>\n\n\n\n
To detect the creation of temporary files with personal data, we can, for example, apply the following pseudo-signature:
<\/p>\n\n\n\n
process_name NOT (\u201cchrome.exe\u201d)\nAND\nfile_create (\u201c%TEMP\\\\*.tmp\u201d)\nAND\nfile_content includes (\n*username*,\n*password*\n)<\/code><\/pre>\n\n\n\n
Indicator removal: file deletion (T1070.004)<\/h3>\n\n\n\n
When the malware is done running, it removes itself using CMD.EXE with a short delay to give the process time to finish and unblock the executable file (Fig. 11):
<\/p>\n\n\n\n
\"The
Fig. 11 \u2014 The malware self-deletes
<\/figcaption><\/figure>\n\n\n\n
We can use the following pseudo-signature in the command line for detection: 
<\/p>\n\n\n\n
process_name is (\u201ccmd.exe\u201d)\nAND\ncommand_line includes (\u201ctimeout\u201d, \u201cdel\u201d)<\/code><\/pre>\n\n\n\n
CryptBot dynamic analysis using a debugger<\/h2>\n\n\n\n
Static packer check<\/h3>\n\n\n\n
In general, it’s a best practice to check the file statically to figure out its type and if there\u2019s a packer present, before conducting the dynamic analysis. Once we do that with the DiE tool shows that the file is not packed (see fig.12):
<\/p>\n\n\n\n
\"Checking
Fig. 12 \u2014 Checking the malware file statically to detect a packer
<\/figcaption><\/figure>\n\n\n\n
In this case, even though we didn\u2019t find a packer during our static analysis, the dynamic analysis revealed that the malware uses a T1027.002 – software packing technique. <\/p>\n\n\n\n
Obfuscated files or information: software packing (T1027.002)<\/h3>\n\n\n\n
By analyzing the memory of a running process using Process Hacker, we stumble upon an RWX region that is not normally found in legitimate programs. The beginning of the dump of this region allows you to see the header of the PE file (see Fig. 13):<\/p>\n\n\n\n
\"CryptBot\u2019s
Fig. 13 \u2014 CryptBot\u2019s memory dump of a running process<\/figcaption><\/figure>\n\n\n\n
On further analysis we discovered that the header of the PE file is also the beginning of the shellcode<\/strong> (see Fig. 14), which recovers the register value, gets the ImageBase and passes control to the EntryPoint:
<\/p>\n\n\n\n
\"
Figure 14 \u2014 Disassembling the PE header<\/figcaption><\/figure>\n\n\n\n
Using the x64dbg debugger we have determined that the executable memory region is allocated by the unpacker using the WinAPI\u2019s VirtualAlloc<\/strong> function. Next, the unpacker writes payload to it and decrypts it with an XOR<\/strong> operation (see Figure 15):
<\/p>\n\n\n\n
\"Decrypting
Fig. 15 \u2014 Decrypting payload using XOR<\/figcaption><\/figure>\n\n\n\n
The key<\/strong> to decrypt the payload is in the “.rdata” section of the running executable:
<\/p>\n\n\n\n
\"Key
Fig. 16 \u2014 Key to decrypt the payload
<\/figcaption><\/figure>\n\n\n\n
Thus, we can see that despite the absence of features of the payload in the static analysis, using the dynamic one we have identified the presence of a packer and determined the key and the encryption algorithm.<\/strong><\/p>\n\n\n\n
Writing YARA rules to detect CryptBot shellcode in memory<\/h3>\n\n\n\n
A YARA rule for detecting a CryptBot shellcode in OS memory could look like this:<\/p>\n\n\n\n
rule CryptBot_ShellCode\n{\nmeta:\n    \tauthor = \"Any.Run\"\n    \tSHA256 = \"183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac\"\n    \tdate = \"2023-01-19\"\n    \tdescription = \"Detect CryptBot shellcode in memory\"\n\nstrings:\n    \t$shellcode = { 4D 5A 45 52 E8 00 00 00 00 58 83 E8 09 50 05 [4] FF D0 C3 }\n\ncondition:\n    \tuint16(0) != 0x5A4D and\n    \tuint16(0) > 0 and\n    \t$shellcode in (0x20..0x50)\n}<\/code><\/pre>\n\n\n\n
Static analysis and configuration decoding<\/h2>\n\n\n\n
Finding and deciphering the configuration<\/h3>\n\n\n\n
The static analysis of the payload code led us to the conclusion that the malware configuration is located in the “.data” section and encrypted with an XOR operation. Moreover, the decryption key lies in plaintext just before the encrypted data (see Figure 17):
<\/p>\n\n\n\n
\"Key
Fig. 17 \u2014 Key and encrypted configuration
<\/figcaption><\/figure>\n\n\n\n
The configuration is easily decrypted using CyberChef and the key “PU7GX2MZtl” (see Fig. 18):<\/p>\n\n\n\n
\"CryptBot
Figure 18 \u2014 CryptBot decrypted configuration
<\/figcaption><\/figure>\n\n\n\n
From the decrypted configuration it becomes clear what information should be stolen by CryptBot. For example, the screenshot variable tells the malware to take a screenshot, and ChromeExt \u2014 to steal data from Chrome extensions.
<\/p>\n\n\n\n
Automating configuration decryption<\/h3>\n\n\n\n
We have automated the CryptBot configuration extraction in Python<\/a> and made the script public. You can always find it in our Git repo. The result of the unpacked payload script is shown in Fig. 19:<\/p>\n\n\n\n
<\/p>\n\n\n\n
\"The
Fig. 19 \u2014 The result of the configuration extraction script<\/figcaption><\/figure>\n\n\n\n
Developing YARA Rules for detecting CryptBot configuration in memory<\/h3>\n\n\n\n
Some strings of the decrypted CryptBot configuration can be used as part of a YARA rule to detect it in memory:<\/p>\n\n\n\n
rule CryptBot_Config {\nmeta:\n    \tauthor = \"Any.Run\"\n    \tSHA256 = \"183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac\"\n    \tdate = \"2022-01-19\"\n    \tdescription = \"Detect CryptBot configuration in memory\"\nstrings:\n    \t$s1 = \"CookiesEdge\"\n    \t$s2 = \"ChromeDB<>_<>\"\n    \t$s3 = \"EdgeDB<>_<>\"\n    \t$s4 = \"ChromeExt<>_<>\"\n    \t$s5 = \"HistoryChrome<>_<>\"\n    \t$s6 = \"EdgeExt<>_<>\"\n    \t$s7 = \"CookiesFirefox<>_<>\"\n    \t$s8 = \"HistoryOpera<>_<>\"\n    \t$s9 = \"CookiesOpera<>_<>\"\n    \t$s10 = \"FirefoxDB<>_<>\"\n    \t$s11 = \"CookiesChrome<>_<>\"\n    \t$s12 = \"HistoryFirefox<>_<>\"\n    \t$s13 = \"HistoryEdge<>_<>\"\n    \t$s14 = \"DesktopFolder<>_<>\"\n    \t$s15 = \"ChromeDBFolder<>_<>\"\n    \t$s16 = \"ExternalDownload<>_<>\"\n    \t$s17 = \"ScreenFile<>_<>\"\n    \t$s18 = \"MessageAfterEnd<>_<>\"\n    \t$s19 = \"HistoryFile<>_<>\"\n    \t$s20 = \"FirefoxDBFolder<>_<>\"\n    \t$s21 = \"PasswordFile<>_<>\"\n    \t$s22 = \"WalletFolder<>_<>\"\n    \t$s23 = \"DeleteAfterEnd<>_<>\"\n    \t$s24 = \"EdgeDBFolder<>_<>\"\n    \t$s25 = \"InfoFile<>_<>\"\n    \t$s26 = \"CookiesFile<>\"\n\ncondition:\n    \t7 of them\n}<\/code><\/pre>\n\n\n\n
Using ANY.RUN to efficiently analyze CryptBot<\/h2>\n\n\n\n
For your convenience, we have integrated automatic extraction of the CryptBot configuration into ANY.RUN interactive sandbox<\/a> \u2014 just run the sample and get all the IOCs in seconds (Fig. 20):<\/p>\n\n\n\n
\"Automatic
Fig. 20 – Automatic CryptBot configuration extraction in ANY.RUN sandbox<\/figcaption><\/figure>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
In this article, we looked into CryptBoT, its techniques and behavior when contained in the ANY.RUN sandbox. We also wrote a configuration extractor <\/a>that you can use to gather and interpret the data. 
<\/p>\n\n\n\n
Fortunately, ANY.RUN is already set up to detect this malware automatically, making the relevant configuration details just a click away.
<\/p>\n\n\n\n
If you want to read more content like this, check out our analysis of the Raccoon Stealer<\/a>, or Orcus RAT<\/a>.<\/p>\n\n\n\n
Appendix<\/h2>\n\n\n\n
Analyzed files<\/h3>\n\n\n\n
Title<\/strong><\/td>Description<\/strong><\/td><\/tr>
Name<\/td>12d20a973f8cd9c6373929ae14efe123.exe<\/td><\/tr>
MD5<\/td>12d20a973f8cd9c6373929ae14efe123<\/td><\/tr>
SHA1<\/td>7f277f5f8f9c2831d40a2dc415566a089a820151<\/td><\/tr>
SHA256<\/td>183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Extracted URLs<\/h3>\n\n\n\n
    \n
  • http:\/\/sginiv12[.]top\/gate.php<\/li>\n\n\n\n
  • http:\/\/bytcox01[.]top\/gesell.dat<\/li>\n<\/ul>\n\n\n\n
    MITRE (ARMATTACK)<\/h3>\n\n\n\n
    Tactics<\/strong><\/td>Techniques<\/strong><\/td>Description<\/strong><\/td><\/tr>
    TA0005:
    defence evasion<\/td>    		T1070.004:
    Indicator Removal: 
    File Deletion <\/td>    		Self-deleting 
    after completion<\/td><\/tr>

    <\/td>    		T1027.002:
    Obfuscated Files 
    or Information: 
    Software Packing<\/td>    		Malware is decrypted 
    into memory before 
    it starts working<\/td><\/tr>
    TA0006:
    Credential access<\/td>    		T1555.003:
    Credentials from 
    Web Browsers<\/td>    		Steals data from 
    installed browsers<\/td><\/tr>
    TA0007:
    Software discovery<\/td>    		T1518:
    Software Discovery<\/td>    		Searches for installed software
     in the system 
    in the “Uninstall” key<\/td><\/tr>

    <\/td>    		T1082:
    System Information
    Discovery<\/td>    		Collects system data<\/td><\/tr>
    TA0009:
    Collection<\/td>    		T1113:
    Screen capture<\/td>    		Has an option to take 
    a configuration screenshot<\/td><\/tr>

    <\/td>    		T1074:
    Data Staged<\/td>    		Saving of gathered data 
    in a temporary directory 
    before sending; 
    prevention of relaunch<\/td><\/tr>
    TA0011:
    Command and Control<\/td>    		T1071:
    Application Layer 
    Protocol<\/td>    		Sending collected data 
    to the control server<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"
    We recently analyzed CryptBot, an infostealer detected by the ANY.RUN online malware sandbox.  Through our research, we collected information about MITRE ATT&CK techniques used by this malware. We also learned about how this infostealer stores and encrypts its configuration information, and we wrote a Python script to extract the configuration.  Let\u2019s go over the whole […]<\/p>\n","protected":false},"author":2,"featured_media":4213,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[34],"class_list":["post-4206","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware-analysis"],"acf":[],"yoast_head":"\nCryptBot Infostealer: Malware Analysis - ANY.RUN's Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Read CryptBot analysis: MITRE ATT&CK techniques used by the infostealer, how it stores, encrypts the configuration data and how to extract the memory dump.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"khr0x\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/\"},\"author\":{\"name\":\"khr0x\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"CryptBot Infostealer: Malware Analysis\",\"datePublished\":\"2023-01-26T01:55:00+00:00\",\"dateModified\":\"2023-03-02T07:50:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/\"},\"wordCount\":1593,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/\",\"name\":\"CryptBot Infostealer: Malware Analysis - ANY.RUN's Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-01-26T01:55:00+00:00\",\"dateModified\":\"2023-03-02T07:50:10+00:00\",\"description\":\"Read CryptBot analysis: MITRE ATT&CK techniques used by the infostealer, how it stores, encrypts the configuration data and how to extract the memory dump.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CryptBot Infostealer: Malware Analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN's Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"khr0x\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg\",\"caption\":\"khr0x\"},\"description\":\"I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CryptBot Infostealer: Malware Analysis - ANY.RUN's Cybersecurity Blog","description":"Read CryptBot analysis: MITRE ATT&CK techniques used by the infostealer, how it stores, encrypts the configuration data and how to extract the memory dump.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/","twitter_misc":{"Written by":"khr0x","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/"},"author":{"name":"khr0x","@id":"https:\/\/any.run\/"},"headline":"CryptBot Infostealer: Malware Analysis","datePublished":"2023-01-26T01:55:00+00:00","dateModified":"2023-03-02T07:50:10+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/"},"wordCount":1593,"commentCount":2,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/","name":"CryptBot Infostealer: Malware Analysis - ANY.RUN's Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-01-26T01:55:00+00:00","dateModified":"2023-03-02T07:50:10+00:00","description":"Read CryptBot analysis: MITRE ATT&CK techniques used by the infostealer, how it stores, encrypts the configuration data and how to extract the memory dump.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"CryptBot Infostealer: Malware Analysis"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN's Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"khr0x","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg","caption":"khr0x"},"description":"I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4206"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=4206"}],"version-history":[{"count":27,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4206\/revisions"}],"predecessor-version":[{"id":4519,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4206\/revisions\/4519"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/4213"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=4206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=4206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=4206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}