CryptBot

48
Global rank
25
Month rank
20
Week rank
238
IOCs

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
2 June, 2023
Last seen

How to analyze CryptBot with ANY.RUN

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
2 June, 2023
Last seen

IOCs

IP addresses
8.208.76.69
188.68.221.52
5.101.50.108
8.208.101.157
8.208.26.99
8.209.99.235
8.209.74.224
8.208.22.49
8.208.88.247
8.209.79.251
8.208.3.5
8.208.11.4
8.208.25.7
8.209.114.138
8.209.74.196
8.209.77.15
8.209.77.210
8.209.78.211
8.208.26.133
8.208.78.141
Hashes
b73d6d65ce2752dfd87d6f2c6e2577241d38ab680bd7f67aa33ea6a481fb1411
68dbf9ee186dd2a81142d255b9d384b9a5886a576bec570bdfa76e9ee9a7a39e
4d85514b7f17f7f8e08e5e3af79dddab8aa8b5461f2bb192032e933d6c10f015
427f61c9f376adba2e22fe947e045953fd5ec4751cd84588c6e493469f77f75a
48cd50b9f44a45645ba21b8e0846954c66f2dc99a69ee853428f1793d91ddc40
22075a63aef35075b6a7bf3eb1f3ba9ccccfec7fc90f7925c1f02f7747a938ce
0a429c131f5188ad77d4f453e5dbeca5f0e451c4dab3789fd2dce9467ba90b42
f358c53793072f2aea396ada8825367ff9bdcea9a5b226f4ae342cc4782da1f8
6796ac72433542c8cd005746b9a95c4b26eb2ce7aa0972e4fd8eb839c20a328b
64dae2d962de63731c94b2c05b23b69e909440c6207292a84587b2f80702151a
103ae3ba8111533449864f82e14655a6138930f46432a50b92c2dee3cae504bb
f7dea59206eddc8e307d15c3b4f0644119f1bfdf186352e531e3f122541eca05
4daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
682b6447539c2ffa3883e1d520919f6fb500687966bbf0209090ce31bf71af0c
e813fff839d6b8ecf2625194624f29ad7120b8281f9dfe79d105a804da5f491a
a762f9f1b035705d175658bfbea5e43d5f47cdb534aa1293402b5fceefcd8ab4
fedec2022deda5e3993c9c527c1dd39269ac8a6a0e4604df1343aef441d901b1
eaec25d47cc86e6fea619edc6daafd79ae5a3bebf734450611a4630c4a119143
5e331b11d4afe5286d7f9a466b84cf52a092d1b449ef7d837c640d5a5d6a05dd
2470c6f0f6cff6d59bef92d2a49634e8e49002bba20908f69d5d611151865e14
Domains
majul.com
isns.net
elx01.knas.systems
sasurr02.top
bube01.info
cedss03.top
moraa10.top
magnar01.top
magnar03.top
sasurr05.top
yahzdaje.website
sasurr03.top
kafurr01.top
sasurr01.top
sdaurr03.top
rifat04.info
cede04.info
cede03.info
lqo01.pro
goga01.xyz
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5380
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is CryptBot malware

CryptBot, initially detected in 2019, is an information stealer designed to compromise Windows operating systems.

Its primary purpose is to exfiltrate confidential data from infected machines, such us:

  • browser credentials
  • cryptocurrency wallet details
  • browser cookies
  • credit card data
  • and system screenshots

The primary distribution channels for CryptBot involve spearphishing emails and illicit software cracks.

CryptoBot is a relatively modern malware. However, it’s authors are constantly evolving the threat, making it harder to detect. Around February 2022 researchers began noticing that threat actors simplified CryptBot’s functionality, making it lighter, leaner, and less likely to be detected.

This saw them remove features such as the anti-sandbox evasion, redundant second C2 connection, second exfiltration folder, screenshot function, and the option to collect data on TXT files on the desktop.

At the same time, post 2022 samples have gained targeted additions and improvements that make them more potent. Previously, the malware could only exfiltrate data from Chrome versions between 81 and 95. Now, CryptBot searches all file paths and exfiltrates user data, regardless of the Chrome version in use. This improvement allows CryptBot to be effective against a wider range of targets.

CryptBot infection method

Initiation of the CryptBot attack sequence typically occurs when an unsuspecting user visits a compromised webpage and is lured into downloading what appears to be a legitimate file, such as an SFX file posing as software like Adobe Photoshop. Once the user downloads the file, a malicious SFX file is placed on their computer. When executed, a folder is created in the user's %Temp% directory, containing several files that enable the subsequent stage of the attack.

The folder might contain an authentic Windows DLL, a BAT script, a concealed AutoIT script, and an AutoIT v3 compiler for executables. Some files might be disguised as image, audio, or video files to hide their actual purpose. The specific file extensions used can vary across different CryptBot versions.

The AutoIT interpreter tool, which is frequently exploited by numerous malware families, plays a role in the attack process. The BAT script examines the victim's system for certain antivirus products and uses a "sleep" function to avoid detection if any are found. It is also in charge of decrypting the highly obfuscated AutoIT script and transferring it to the virtual memory area for execution.

In the end, the AutoIT compiler for executables runs the harmful script, initiating an AutoIT process and loading the CryptBot binary into the system's memory.

How to get more information from CryptBot malware

At ANY.RUN, you can securely execute CryptBot and conduct dynamic analysis within a completely interactive cloud-based sandbox environment. Our platform automatically gathers and presents rich execution data in easy-to-read formats.

CryptBot malware configuration extracted by ANY.RUN Figure 1: CryptBot’s configuration automatically extracted by ANY.RUN

You can collect more info about the analyzed sample by looking at extracted malware configuration. A PCAP file for later analysis is also available for download.

CryptBot infostealer execution process

Upon initiating the initial payload, the execution flow of CryptBot can be variable. Cryptbot might sometimes employ the "compile after delivery" technique for defense evasion or release and execute a second file.

Then, the malware gathers data about the infected system, the software installed, and pilfers credentials. For data exfiltration, the stealer often establishes a connection with the C2 domain, with the ** .top** extension. It's noteworthy that it consistently sends requests to a page named gate.php. After completing these actions, the malware may implement a file deletion technique, deleting itself.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of CryptBot

In addition to utilizing phishing and spearphishing techniques with infected documents, starting around February 2022, CryptBot has expanded its distribution methods by leveraging cracked software lures to target potential victims.

The strategy involves creating websites that masquerade as providers of software cracks, key generators, pirated games, or other utilities. Then, search engine optimization (SEO) techniques are used to rank the malware distribution sites at the top of Google search results.

The malicious websites undergo frequent updates, employing various lures to attract users. Visitors are taken through a series of redirections before reaching the delivery page, which may be hosted on a compromised legitimate site for SEO poisoning attacks.

Wrapping up

CryptBot's primary targets are individuals searching for software cracks, warez, and other methods of bypassing copyright protection. To avoid infection by CryptBot and other similar malware, users should refrain from downloading such tools.

By staying informed about CryptBot's distribution methods and recent changes, malware analysts and security researchers can better understand this threat and develop effective countermeasures.

Speed up your workflow by analyzing CryptBot in ANY.RUN. Create an account using your business email and try our interactive cloud sandbox for free.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy