Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

CryptBot

64
Global rank
70 infographic chevron month
Month rank
69 infographic chevron week
Week rank
0
IOCs

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
27 September, 2025
Last seen

How to analyze CryptBot with ANY.RUN

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
27 September, 2025
Last seen

IOCs

Hashes
7d23a41da6b0a4c455aed086067e7eb764669ce4e567b9b11cb97588eccb903b
55ad89acf1094dd8eb39690b705e95087d3c90153f78afee3f93af3a64980f9b
2df20e3b1de29cd7dc70019017592b353a2e087766294ae051a8cbd0c5428ae8
ef7571855d9ac2966f9cfc3ea6804ba8ba054ce4483c8a193c1ccc82d9bd0456
c8e0f71cfcb411961900f6cff27ad69dc5a0916f907e952ce310ed1b954a9459
dea2c280f4ba7b2274c981718a64df19a53c6340de3abb5b943e5cd6db84dc28
db24550c3183fc38f9440134322f124447dfe0a3564490180418305d7899d159
c20a40b230e26207a392fc196ecf818cd41c400aff19cd124bcb6a831ea5c1b9
1cfa114e335202d50659ca4baec2671111f5a133a3f6817d7095c9670efde514
7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d
0260f107b595f96848f0cb0b1c06128da07632d9a5eafc5f98d1dd3c6ba787ce
efa8e255df553eccd96869e7af0fa5d81374509b6a4e123edfb82276a49f773b
1068aa09d6a9f1cde6bb844615d4c3dee09f296ba1a90cf898349ae08d6d2481
b73d6d65ce2752dfd87d6f2c6e2577241d38ab680bd7f67aa33ea6a481fb1411
72654c706beffb85de938e9b4698643dd15c7769a80dbac8eee54be552736c2f
ecd59e0d4611623415ae78c29aed36714498f44243de47ac95ac7e8966970013
4a35c36f3f41f977fe1f0174d43c8cb9bd25a823b5f2a1970e501d839e1f8276
a368a72ac8e7b5d0616af96ed4f6521486882772e30e40248cc5746603d77cc9
6c71affcf86d78ffb09bdb9b567341415b4e7696201aea2edba418f5b442aacb
8bd2eef61fc43d378b856e74da9243d19d18c7f5a07cb185f5483a62ee1afa7f
Domains
nkoopw11.top
moraass08.top
leribis02.top
moraffdd04.top
moraaaasf01.top
morbyj05.top
deodd52.top
morexn05.top
befqlo52.top
mortos05.top
veomho62.top
morizu06.top
bazojl12.top
morhoq01.top
cipytg23.top
morhej02.top
gombhn62.top
morcat06.top
morswd03.top
sezutr31.top
URLs
http://pfive5cht.top/gate.php
http://pfive5sr.top/gate.php
http://netbi5n.top/gate.php
http://ubypdx42.top/gate.php
http://ubydhm32.top/gate.php
http://ubyrcy12.top/gate.php
http://chucxo62.top/gate.php
http://chuawt52.top/gate.php
http://chuteu42.top/gate.php
http://chukcl22.top/gate.php
http://chuyqe32.top/gate.php
http://chuirn12.top/gate.php
http://ivyves72.top/gate.php
http://ivyvfd62.top/gate.php
http://ivysyr52.top/gate.php
http://ivyugn42.top/gate.php
http://ivyhur32.top/gate.php
http://ivyzhi22.top/gate.php
http://ivyixn12.top/gate.php
http://nekxtu72.top/gate.php
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is CryptBot malware

CryptBot, initially detected in 2019, is an information stealer designed to compromise Windows operating systems.

Its primary purpose is to exfiltrate confidential data from infected machines, such us:

  • browser credentials
  • cryptocurrency wallet details
  • browser cookies
  • credit card data
  • and system screenshots

The primary distribution channels for CryptBot involve spearphishing emails and illicit software cracks.

CryptoBot is a relatively modern malware. However, it’s authors are constantly evolving the threat, making it harder to detect. Around February 2022 researchers began noticing that threat actors simplified CryptBot’s functionality, making it lighter, leaner, and less likely to be detected.

This saw them remove features such as the anti-sandbox evasion, redundant second C2 connection, second exfiltration folder, screenshot function, and the option to collect data on TXT files on the desktop.

At the same time, post 2022 samples have gained targeted additions and improvements that make them more potent. Previously, the malware could only exfiltrate data from Chrome versions between 81 and 95. Now, CryptBot searches all file paths and exfiltrates user data, regardless of the Chrome version in use. This improvement allows CryptBot to be effective against a wider range of targets.

CryptBot infection method

Initiation of the CryptBot attack sequence typically occurs when an unsuspecting user visits a compromised webpage and is lured into downloading what appears to be a legitimate file, such as an SFX file posing as software like Adobe Photoshop. Once the user downloads the file, a malicious SFX file is placed on their computer. When executed, a folder is created in the user's %Temp% directory, containing several files that enable the subsequent stage of the attack.

The folder might contain an authentic Windows DLL, a BAT script, a concealed AutoIT script, and an AutoIT v3 compiler for executables. Some files might be disguised as image, audio, or video files to hide their actual purpose. The specific file extensions used can vary across different CryptBot versions.

The AutoIT interpreter tool, which is frequently exploited by numerous malware families, plays a role in the attack process. The BAT script examines the victim's system for certain antivirus products and uses a "sleep" function to avoid detection if any are found. It is also in charge of decrypting the highly obfuscated AutoIT script and transferring it to the virtual memory area for execution.

In the end, the AutoIT compiler for executables runs the harmful script, initiating an AutoIT process and loading the CryptBot binary into the system's memory.

How to get more information from CryptBot malware

At ANY.RUN, you can securely execute CryptBot and conduct dynamic analysis within a completely interactive cloud-based sandbox environment. Our platform automatically gathers and presents rich execution data in easy-to-read formats.

CryptBot malware configuration extracted by ANY.RUN Figure 1: CryptBot’s configuration automatically extracted by ANY.RUN

You can collect more info about the analyzed sample by looking at extracted malware configuration. A PCAP file for later analysis is also available for download.

CryptBot infostealer execution process

Upon initiating the initial payload, the execution flow of CryptBot can be variable. Cryptbot might sometimes employ the "compile after delivery" technique for defense evasion or release and execute a second file.

Then, the malware gathers data about the infected system, the software installed, and pilfers credentials. For data exfiltration, the stealer often establishes a connection with the C2 domain, with the ** .top** extension. It's noteworthy that it consistently sends requests to a page named gate.php. After completing these actions, the malware may implement a file deletion technique, deleting itself.

Read a detailed analysis of CryptBot in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of CryptBot

In addition to utilizing phishing and spearphishing techniques with infected documents, starting around February 2022, CryptBot has expanded its distribution methods by leveraging cracked software lures to target potential victims.

The strategy involves creating websites that masquerade as providers of software cracks, key generators, pirated games, or other utilities. Then, search engine optimization (SEO) techniques are used to rank the malware distribution sites at the top of Google search results.

The malicious websites undergo frequent updates, employing various lures to attract users. Visitors are taken through a series of redirections before reaching the delivery page, which may be hosted on a compromised legitimate site for SEO poisoning attacks.

Wrapping up

CryptBot's primary targets are individuals searching for software cracks, warez, and other methods of bypassing copyright protection. To avoid infection by CryptBot and other similar malware, users should refrain from downloading such tools.

By staying informed about CryptBot's distribution methods and recent changes, malware analysts and security researchers can better understand this threat and develop effective countermeasures.

Speed up your workflow by analyzing CryptBot in ANY.RUN. Create an account using your business email and try our interactive cloud sandbox for free.

HAVE A LOOK AT

DarkComet screenshot
DarkComet
darkcomet rat darkcomet rat
DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
Ramnit screenshot
Ramnit
ramnit
Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.
Read More
Xeno RAT screenshot
Xeno RAT
xenorat
Xeno RAT is an open-source malware mainly distributed through drive-by downloads. The core capabilities of this threat include remote control, keystroke logging, webcam and microphone access. Equipped with advanced utilities, such as Hidden Virtual Network Computing and Socks5 reverse proxy, Xeno RAT is most frequently used in attacks against individual users.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More