BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

CryptBot

62
Global rank
73
Month rank
64 infographic chevron week
Week rank
562
IOCs

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
18 May, 2024
Last seen

How to analyze CryptBot with ANY.RUN

Infostealer
Type
Unknown
Origin
20 December, 2019
First seen
18 May, 2024
Last seen

IOCs

Hashes
2b0487817f8cf2592db53cea34fa30f2db1a06d046759f23f3e72a0dc61034dd
470d8301ac8d7e12baca136b154e146703c74b32bb495f4c5487339f570405d6
a9b3f51f97dcb1ed34cc2b9d1664b597b38bdb7f6efc21418489b8e970b4c2cc
ed6197154c710da20540e476b1df535ec7956e263c5064cfa38b6b96e45393a1
aa40bae94993caa836037d30d4ed4c02e1224dfce5923e010a2aad0056c34f07
85821ba279517102d76a622bfe36b997eb1772cc6ec6d3b80dd501bc34c250c6
07ba9187a89a1cdf0decad8afb5dc4f3bd4c79aacd6e4eefd3712ff64088ddab
a387213cfec4e3e17435a5da59d657ceb403d3b1825fbeac970617c6c7b8813d
5e331b11d4afe5286d7f9a466b84cf52a092d1b449ef7d837c640d5a5d6a05dd
e697032121e7de781f045c52db959bf8c8297d556ddf280c51a91e4049abd387
820d889e160311bb5b6ca0301fe2305334dc8b1add08209a20a8277051edd678
79e5c6bd4b2bfa20186b3ce543e3caeba0bc089b326c36458fd34d109009328c
553e2ae84b069b9e634aeab247f736711d4a452e4eb2da356b171446cc7d2fc5
d7c9d97a92d4794104d3327a45dc0b6dc0d17f15b2169fdbcd08e4d913b888db
1df7b82df79323d3d0a18265b32830c574f71a6f9f5e11f55df3a76d3ab852bc
842902a229af05a242d1c6a8db6ff66bd624a3326aa75c1600c13711eb029eb9
4cb21265ed5d9fe786973cea7b7b13ae44f6cbc455ddd862b9a6c6c5acd34edc
3e792c85baf34c86b8d4b89d558e2b0c44a96ef6fa87d054b6fd154fc58ec34b
d12627a6eafc4c0f234a1b2eadba0ea8d3d32d262b57b7b7d6abd8ad882c8e2e
f4e8a0988a843078a03d54bec631613a6768f848bb961c4c3e6c466a7b143887
Domains
s.tmp
morbyj05.top
deodd52.top
morexn05.top
ewafve51.top
faodrt28.top
darzcb62.top
bridmz52.top
poqvyg22.top
wyxead72.top
moraaaasf01.top
piperoerrt23.top
moraffdd04.top
leribis02.top
befqlo52.top
mortos05.top
nkoopw11.top
moraass08.top
morgwa06.top
e.exe
URLs
http://vbthre3vs.top/zip.php
http://vseven7sr.top/gate.php;
http://fygbib44.top/gate.php;
http://sginiv12.top/gate.php;
http://sgizfn14.top/gate.php;
http://wuqvas12.top/gate.php;
http://vfive5pn.top/gate.php;
http://vfive5sr.top/gate.php;
http://cfive5vt.top/gate.php;
http://xfive5vs.top/gate.php;
http://xfive5sr.top/gate.php;
http://zfive5vt.top/gate.php;
http://pfive5sr.top/gate.php;
http://psix6sb.top/gate.php;
http://psix6vt.top/gate.php/;
http://xfive5pn.top/gate.php;
http://zfive5vs.top/gate.php;
http://zfive5sr.top/gate.php;
http://pfive5pt.top/gate.php;
http://pfive5vt.top/gate.php/;
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 54
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 768
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 573
comments 0

What is CryptBot malware

CryptBot, initially detected in 2019, is an information stealer designed to compromise Windows operating systems.

Its primary purpose is to exfiltrate confidential data from infected machines, such us:

  • browser credentials
  • cryptocurrency wallet details
  • browser cookies
  • credit card data
  • and system screenshots

The primary distribution channels for CryptBot involve spearphishing emails and illicit software cracks.

CryptoBot is a relatively modern malware. However, it’s authors are constantly evolving the threat, making it harder to detect. Around February 2022 researchers began noticing that threat actors simplified CryptBot’s functionality, making it lighter, leaner, and less likely to be detected.

This saw them remove features such as the anti-sandbox evasion, redundant second C2 connection, second exfiltration folder, screenshot function, and the option to collect data on TXT files on the desktop.

At the same time, post 2022 samples have gained targeted additions and improvements that make them more potent. Previously, the malware could only exfiltrate data from Chrome versions between 81 and 95. Now, CryptBot searches all file paths and exfiltrates user data, regardless of the Chrome version in use. This improvement allows CryptBot to be effective against a wider range of targets.

CryptBot infection method

Initiation of the CryptBot attack sequence typically occurs when an unsuspecting user visits a compromised webpage and is lured into downloading what appears to be a legitimate file, such as an SFX file posing as software like Adobe Photoshop. Once the user downloads the file, a malicious SFX file is placed on their computer. When executed, a folder is created in the user's %Temp% directory, containing several files that enable the subsequent stage of the attack.

The folder might contain an authentic Windows DLL, a BAT script, a concealed AutoIT script, and an AutoIT v3 compiler for executables. Some files might be disguised as image, audio, or video files to hide their actual purpose. The specific file extensions used can vary across different CryptBot versions.

The AutoIT interpreter tool, which is frequently exploited by numerous malware families, plays a role in the attack process. The BAT script examines the victim's system for certain antivirus products and uses a "sleep" function to avoid detection if any are found. It is also in charge of decrypting the highly obfuscated AutoIT script and transferring it to the virtual memory area for execution.

In the end, the AutoIT compiler for executables runs the harmful script, initiating an AutoIT process and loading the CryptBot binary into the system's memory.

How to get more information from CryptBot malware

At ANY.RUN, you can securely execute CryptBot and conduct dynamic analysis within a completely interactive cloud-based sandbox environment. Our platform automatically gathers and presents rich execution data in easy-to-read formats.

CryptBot malware configuration extracted by ANY.RUN Figure 1: CryptBot’s configuration automatically extracted by ANY.RUN

You can collect more info about the analyzed sample by looking at extracted malware configuration. A PCAP file for later analysis is also available for download.

CryptBot infostealer execution process

Upon initiating the initial payload, the execution flow of CryptBot can be variable. Cryptbot might sometimes employ the "compile after delivery" technique for defense evasion or release and execute a second file.

Then, the malware gathers data about the infected system, the software installed, and pilfers credentials. For data exfiltration, the stealer often establishes a connection with the C2 domain, with the ** .top** extension. It's noteworthy that it consistently sends requests to a page named gate.php. After completing these actions, the malware may implement a file deletion technique, deleting itself.

Read a detailed analysis of CryptBot in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of CryptBot

In addition to utilizing phishing and spearphishing techniques with infected documents, starting around February 2022, CryptBot has expanded its distribution methods by leveraging cracked software lures to target potential victims.

The strategy involves creating websites that masquerade as providers of software cracks, key generators, pirated games, or other utilities. Then, search engine optimization (SEO) techniques are used to rank the malware distribution sites at the top of Google search results.

The malicious websites undergo frequent updates, employing various lures to attract users. Visitors are taken through a series of redirections before reaching the delivery page, which may be hosted on a compromised legitimate site for SEO poisoning attacks.

Wrapping up

CryptBot's primary targets are individuals searching for software cracks, warez, and other methods of bypassing copyright protection. To avoid infection by CryptBot and other similar malware, users should refrain from downloading such tools.

By staying informed about CryptBot's distribution methods and recent changes, malware analysts and security researchers can better understand this threat and develop effective countermeasures.

Speed up your workflow by analyzing CryptBot in ANY.RUN. Create an account using your business email and try our interactive cloud sandbox for free.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy