Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

CryptBot

50
Global rank
19 infographic chevron month
Month rank
23 infographic chevron week
Week rank
0
IOCs

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
11 February, 2025
Last seen

How to analyze CryptBot with ANY.RUN

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
11 February, 2025
Last seen

IOCs

Domains
fivepp5sb.top
fivell5th.top
home.fivell5th.top
fivegg5th.top
home.fivegg5th.top
home.elvngg11th.top
fiveww5vt.top
home.fiveww5vt.top
home.thrtgg13th.top
elvnww11vt.top
home.elvnww11vt.top
home.thrtww13vt.top
home.fiverr5pn.top
home.thrtrr13pn.top
fivexx5ht.top
elvnkk11vs.top
home.elvnkk11vs.top
home.thrtkk13vs.top
home.fiveii5vt.top
home.elvnm11fr.top
URLs
http://fivepp5sb.top/v1/upload.php
http://home.fivepp5sb.top/joLepLgSzIBRhlkJbQYx1739003311
http://elvnpp11sb.top/v1/upload.php
http://home.elvnpp11sb.top/PbeokZpPUOamImAhVrmG1739003311
http://home.fivell5th.top/FBTjVCNVSpaXwPVFxYNX1738859513
http://fivell5th.top/v1/upload.php
http://home.thrtpp13sb.top/raOzktqqsOFBfTfWPzPd1739003311
http://thrtpp13sb.top/v1/upload.php
http://home.thrthh13pn.top/xcQeMzDXgEJBBJKcnDnH1738611128
http://thrthh13pn.top/v1/upload.php
http://home.fivehh5pn.top/fYXSltDgZMGffARYrQiQ1738611129
http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489
http://fivegg5th.top/v1/upload.php
http://home.fiveww5vt.top/KkPBTQlNSDINKvTlAxyq1738083387
http://fiveww5vt.top/v1/upload.php
http://mipjeb34.top/gate.php;
http://home.fiverr5pn.top/ZIfnMpEddQyGkCoLIKtI1737973038
http://fiverr5pn.top/v1/upload.php
http://home.thrtrr13pn.top/aXNrduviKATsMIBZCkba1737973037
http://thrtrr13pn.top/v1/upload.php
Last Seen at
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is CryptBot malware

CryptBot, initially detected in 2019, is an information stealer designed to compromise Windows operating systems.

Its primary purpose is to exfiltrate confidential data from infected machines, such us:

  • browser credentials
  • cryptocurrency wallet details
  • browser cookies
  • credit card data
  • and system screenshots

The primary distribution channels for CryptBot involve spearphishing emails and illicit software cracks.

CryptoBot is a relatively modern malware. However, it’s authors are constantly evolving the threat, making it harder to detect. Around February 2022 researchers began noticing that threat actors simplified CryptBot’s functionality, making it lighter, leaner, and less likely to be detected.

This saw them remove features such as the anti-sandbox evasion, redundant second C2 connection, second exfiltration folder, screenshot function, and the option to collect data on TXT files on the desktop.

At the same time, post 2022 samples have gained targeted additions and improvements that make them more potent. Previously, the malware could only exfiltrate data from Chrome versions between 81 and 95. Now, CryptBot searches all file paths and exfiltrates user data, regardless of the Chrome version in use. This improvement allows CryptBot to be effective against a wider range of targets.

CryptBot infection method

Initiation of the CryptBot attack sequence typically occurs when an unsuspecting user visits a compromised webpage and is lured into downloading what appears to be a legitimate file, such as an SFX file posing as software like Adobe Photoshop. Once the user downloads the file, a malicious SFX file is placed on their computer. When executed, a folder is created in the user's %Temp% directory, containing several files that enable the subsequent stage of the attack.

The folder might contain an authentic Windows DLL, a BAT script, a concealed AutoIT script, and an AutoIT v3 compiler for executables. Some files might be disguised as image, audio, or video files to hide their actual purpose. The specific file extensions used can vary across different CryptBot versions.

The AutoIT interpreter tool, which is frequently exploited by numerous malware families, plays a role in the attack process. The BAT script examines the victim's system for certain antivirus products and uses a "sleep" function to avoid detection if any are found. It is also in charge of decrypting the highly obfuscated AutoIT script and transferring it to the virtual memory area for execution.

In the end, the AutoIT compiler for executables runs the harmful script, initiating an AutoIT process and loading the CryptBot binary into the system's memory.

How to get more information from CryptBot malware

At ANY.RUN, you can securely execute CryptBot and conduct dynamic analysis within a completely interactive cloud-based sandbox environment. Our platform automatically gathers and presents rich execution data in easy-to-read formats.

CryptBot malware configuration extracted by ANY.RUN Figure 1: CryptBot’s configuration automatically extracted by ANY.RUN

You can collect more info about the analyzed sample by looking at extracted malware configuration. A PCAP file for later analysis is also available for download.

CryptBot infostealer execution process

Upon initiating the initial payload, the execution flow of CryptBot can be variable. Cryptbot might sometimes employ the "compile after delivery" technique for defense evasion or release and execute a second file.

Then, the malware gathers data about the infected system, the software installed, and pilfers credentials. For data exfiltration, the stealer often establishes a connection with the C2 domain, with the ** .top** extension. It's noteworthy that it consistently sends requests to a page named gate.php. After completing these actions, the malware may implement a file deletion technique, deleting itself.

Read a detailed analysis of CryptBot in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of CryptBot

In addition to utilizing phishing and spearphishing techniques with infected documents, starting around February 2022, CryptBot has expanded its distribution methods by leveraging cracked software lures to target potential victims.

The strategy involves creating websites that masquerade as providers of software cracks, key generators, pirated games, or other utilities. Then, search engine optimization (SEO) techniques are used to rank the malware distribution sites at the top of Google search results.

The malicious websites undergo frequent updates, employing various lures to attract users. Visitors are taken through a series of redirections before reaching the delivery page, which may be hosted on a compromised legitimate site for SEO poisoning attacks.

Wrapping up

CryptBot's primary targets are individuals searching for software cracks, warez, and other methods of bypassing copyright protection. To avoid infection by CryptBot and other similar malware, users should refrain from downloading such tools.

By staying informed about CryptBot's distribution methods and recent changes, malware analysts and security researchers can better understand this threat and develop effective countermeasures.

Speed up your workflow by analyzing CryptBot in ANY.RUN. Create an account using your business email and try our interactive cloud sandbox for free.

HAVE A LOOK AT

Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
X-Files screenshot
X-Files
xfiles
X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More