BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

CryptBot

59
Global rank
16 infographic chevron month
Month rank
12 infographic chevron week
Week rank
0
IOCs

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
14 September, 2024
Last seen

How to analyze CryptBot with ANY.RUN

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
14 September, 2024
Last seen

IOCs

Hashes
c20a40b230e26207a392fc196ecf818cd41c400aff19cd124bcb6a831ea5c1b9
096a49b78febe73d7f6623baf5bb032c2470972791af5afc0171f7897f670bc5
462350afefee90a784120e9c6bf5fc0d153c3668ac93907971383cb8a742d61f
e919cb5dbc990e58acbf7180b2bb6cd781a4dfbbf5e526a5809767fde9a0fe64
4f49eab4d3b46940ba8f2aff4e92702221b009c3f6dda1cd909f44d8d8483f70
af9b55ba26684ff316af7d32b74690f10711a660f0a2f2ebdcbc129db76b3a5f
1618813f2071072453fa1a3d36983cc983d69a5edc3c4406c274ebf9b3d0d594
b4da728ed2866f8c515a79dad70da773c94380eb713ede41c01c58bf322cdba0
9ea0122f41f9ba8423c255fedc7e8cac40706d4d11c907e23d1518240895d34b
1b0d4af34771e61d32a1453300f90587ab5dbe21bdebca48d12568a96bdde562
dcdfe87c87e900bad49773d6280adcc321197a45f794add3bbfc634db7f2b382
d72ea61b6f535a1877fed3bed6e8730fe0da6208608358ce0ee10ca8b855e617
248c496456a9f4cd578d5ab8b090b12f46e908fcd80e4d94ec0fe23c17f2c72b
6017c2628062c036c06a7f78025270ecc1fff7372663b647b9030dda462b45be
3109866c62ea6c3e47a179d3ab3de093a6f938699b1ed83d8cbdfa7bfe92d169
68dbf9ee186dd2a81142d255b9d384b9a5886a576bec570bdfa76e9ee9a7a39e
37f8d454171d9b1731c27fe17899513e4b8d23380985381c62cb5b7f8e9eb2e6
ccffdb4e4038000e0c9b5ab6e5f3c3beecf81c7a0a0363f5e348b82fc251a0b3
6012e34a820669bd0db8b15426dc04c042daa9105deca10711a4e6453ef7169d
df83d4506b0a26f7f02b8e5fb8ab7e5b782f24bbf223eb2594b7a6a535725179
Domains
sevtvd17pt.top
forvd14sr.top
fivevd5ht.top
thirtvd13pt.top
sevtv17pt.top
tventyv20sb.top
elevenvd11ht.top
tventyvd20sr.top
tventyvd20ht.top
fiftvd15ht.top
thirtvd13sr.top
sevtvd17ht.top
thizx13vt.top
fivevd5sr.top
sevtv17pn.top
twelvevd12sr.top
sivd6sr.top
thirtv13pn.top
fivev5pn.top
siv6pn.top
URLs
http://vbthre3vs.top/zip.php
http://vseven7sr.top/gate.php;
http://fygbib44.top/gate.php;
http://sginiv12.top/gate.php;
http://sgizfn14.top/gate.php;
http://wuqvas12.top/gate.php;
http://vfive5pn.top/gate.php;
http://vfive5sr.top/gate.php;
http://cfive5vt.top/gate.php;
http://xfive5vs.top/gate.php;
http://xfive5sr.top/gate.php;
http://zfive5vt.top/gate.php;
http://pfive5sr.top/gate.php;
http://psix6sb.top/gate.php;
http://psix6vt.top/gate.php/;
http://xfive5pn.top/gate.php;
http://zfive5vs.top/gate.php;
http://zfive5sr.top/gate.php;
http://pfive5pt.top/gate.php;
http://pfive5vt.top/gate.php/;
Last Seen at

Recent blog posts

post image
ANY.RUN Now Integrates with Splunk!
watchers 312
comments 0
post image
How to Analyze Malware in ANY.RUN Sandbox: Er...
watchers 357
comments 0
post image
Security Training Lab: Educational Program fo...
watchers 1157
comments 0

What is CryptBot malware

CryptBot, initially detected in 2019, is an information stealer designed to compromise Windows operating systems.

Its primary purpose is to exfiltrate confidential data from infected machines, such us:

  • browser credentials
  • cryptocurrency wallet details
  • browser cookies
  • credit card data
  • and system screenshots

The primary distribution channels for CryptBot involve spearphishing emails and illicit software cracks.

CryptoBot is a relatively modern malware. However, it’s authors are constantly evolving the threat, making it harder to detect. Around February 2022 researchers began noticing that threat actors simplified CryptBot’s functionality, making it lighter, leaner, and less likely to be detected.

This saw them remove features such as the anti-sandbox evasion, redundant second C2 connection, second exfiltration folder, screenshot function, and the option to collect data on TXT files on the desktop.

At the same time, post 2022 samples have gained targeted additions and improvements that make them more potent. Previously, the malware could only exfiltrate data from Chrome versions between 81 and 95. Now, CryptBot searches all file paths and exfiltrates user data, regardless of the Chrome version in use. This improvement allows CryptBot to be effective against a wider range of targets.

CryptBot infection method

Initiation of the CryptBot attack sequence typically occurs when an unsuspecting user visits a compromised webpage and is lured into downloading what appears to be a legitimate file, such as an SFX file posing as software like Adobe Photoshop. Once the user downloads the file, a malicious SFX file is placed on their computer. When executed, a folder is created in the user's %Temp% directory, containing several files that enable the subsequent stage of the attack.

The folder might contain an authentic Windows DLL, a BAT script, a concealed AutoIT script, and an AutoIT v3 compiler for executables. Some files might be disguised as image, audio, or video files to hide their actual purpose. The specific file extensions used can vary across different CryptBot versions.

The AutoIT interpreter tool, which is frequently exploited by numerous malware families, plays a role in the attack process. The BAT script examines the victim's system for certain antivirus products and uses a "sleep" function to avoid detection if any are found. It is also in charge of decrypting the highly obfuscated AutoIT script and transferring it to the virtual memory area for execution.

In the end, the AutoIT compiler for executables runs the harmful script, initiating an AutoIT process and loading the CryptBot binary into the system's memory.

How to get more information from CryptBot malware

At ANY.RUN, you can securely execute CryptBot and conduct dynamic analysis within a completely interactive cloud-based sandbox environment. Our platform automatically gathers and presents rich execution data in easy-to-read formats.

CryptBot malware configuration extracted by ANY.RUN Figure 1: CryptBot’s configuration automatically extracted by ANY.RUN

You can collect more info about the analyzed sample by looking at extracted malware configuration. A PCAP file for later analysis is also available for download.

CryptBot infostealer execution process

Upon initiating the initial payload, the execution flow of CryptBot can be variable. Cryptbot might sometimes employ the "compile after delivery" technique for defense evasion or release and execute a second file.

Then, the malware gathers data about the infected system, the software installed, and pilfers credentials. For data exfiltration, the stealer often establishes a connection with the C2 domain, with the ** .top** extension. It's noteworthy that it consistently sends requests to a page named gate.php. After completing these actions, the malware may implement a file deletion technique, deleting itself.

Read a detailed analysis of CryptBot in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of CryptBot

In addition to utilizing phishing and spearphishing techniques with infected documents, starting around February 2022, CryptBot has expanded its distribution methods by leveraging cracked software lures to target potential victims.

The strategy involves creating websites that masquerade as providers of software cracks, key generators, pirated games, or other utilities. Then, search engine optimization (SEO) techniques are used to rank the malware distribution sites at the top of Google search results.

The malicious websites undergo frequent updates, employing various lures to attract users. Visitors are taken through a series of redirections before reaching the delivery page, which may be hosted on a compromised legitimate site for SEO poisoning attacks.

Wrapping up

CryptBot's primary targets are individuals searching for software cracks, warez, and other methods of bypassing copyright protection. To avoid infection by CryptBot and other similar malware, users should refrain from downloading such tools.

By staying informed about CryptBot's distribution methods and recent changes, malware analysts and security researchers can better understand this threat and develop effective countermeasures.

Speed up your workflow by analyzing CryptBot in ANY.RUN. Create an account using your business email and try our interactive cloud sandbox for free.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More