File name: | 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe |
Full analysis: | https://app.any.run/tasks/31a6e807-ac5d-4f70-9c97-bdc1f99d1a19 |
Verdict: | Malicious activity |
Threats: | CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. |
Analysis date: | April 15, 2025, 17:56:42 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
MD5: | 00199AAC9400A4F9793169130094C4CC |
SHA1: | AEAB187366C367E9ED2F46EF463BC7292ECC8B0F |
SHA256: | 1BF7CDB7E9E4BB12B05FAC24D3B5E8756A0055898934C0AFACB08E3B469E4A74 |
SSDEEP: | 98304:yfLIQ/yuqAPLksDVLrNe3CxkXi4nVfeL7jF1y3tnuxHrO4LqYHQzSR+vQpHrD4be:qkQBf |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2023:10:03 07:51:19+00:00 |
ImageFileCharacteristics: | Executable, 32-bit |
PEType: | PE32 |
LinkerVersion: | 14.33 |
CodeSize: | 214528 |
InitializedDataSize: | 155648 |
UninitializedDataSize: | - |
EntryPoint: | 0x21d50 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4560 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe | 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
CryptBot(PID) Process(4560) VC_redist.x64.exe C2 (1)eihxv18sr.top Strings (364)HttpOpenRequestA Files VirtualFreeEx GetObjectA calloc free IsWow64Process GdipCreateBitmapFromHBITMAP ExtractFilesA InternetOpenUrlW PathFileExistsW WinHttpConnect GdipSaveImageToStream GetModuleFileNameW SleepEx End.txt RmStartSession WinHttpReadData OpenThread CopyFileExW FindFirstFileNameW advpack.dll gdi32.dll wprintf GetCurrentDirectoryA WinHttpQueryOption WinHttpReadDataEx RegQueryInfoKeyA DuplicateHandle FindFirstFileW InternetReadFile "encrypted_key":" CreateDirectoryW Others InternetReadFileExA SetFilePointer WinHttpOpenRequest LoadLibraryExW System Error wnsprintfA \CVVyMZntUg MoveFileA FindClose MessageBoxA closesocket LoadLibraryW SaveImageToStream WideCharToMultiByte urlmon.dll CreateFileMappingW SystemTimeToFileTime LocalAlloc ws2_32.dll DeleteFileW GetDriveTypeA Temp CreateDCA rstrtmgr.dll Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko msvcrt.dll CopyFileA GetThreadId SHAnsiToUnicode GetTempPathW StrStrIA GetFileInformationByHandle _snwprintf GetProcessHeap accept GetLocaleInfoW IStream_Size GdiplusShutdown SetErrorMode cabinet.dll atoi GetExitCodeThread MoveFileW kernel32.dll clock RegEnumKeyExA wsprintfA VirtualFree SHCreateMemStream ShellExecuteA $CREEN.JPEG ntdll.dll ExpandEnvironmentStringsA BitBlt malloc FCIFlushFolder winhttp.dll GdipGetImageEncoders GET PathIsDirectoryW URLOpenBlockingStreamA GetTempPathA GetFileAttributesW WinHttpCrackUrl URLDownloadToFileW IsBadReadPtr URLDownloadToFileA VirtualAllocEx isspace GetTimeZoneInformation CreateProcessA GetTickCount CreateRemoteThread GetCurrentDirectoryW TerminateProcess LoadLibraryExA RegQueryInfoKeyW User's Computer Information.txt recvfrom /v1/upload.php abs ScreenShot.jpeg WinHttpOpen RemoveDirectoryA GetVolumeInformationA GdipSaveImageToFile MultiByteToWideChar GetConsoleMode sprintf_s Sleep SHGetFolderPathW SHGetFolderPathA Process32NextW StrStrIW FindNextFileA PathFileExistsA HeapSize MoveFileExA GetObjectW GetLogicalDriveStringsA WinHttpQueryHeaders DeleteObject SelectObject HeapCreate VirtualProtect ExitProcess ole32.dll GetSystemInfo sprintf GetModuleFileNameExW advapi32.dll SetFilePointerEx FileTimeToDosDateTime wnsprintfW GetEnvironmentVariableW GetCurrentThread CloseHandle DPAPI GetCurrentProcess RegOpenKeyExA RegEnumKeyExW NULL GetModuleFileNameA ExitThread ReleaseDC PathIsDirectoryA ComSpec CopyFileExA _snwprintf_s RmRegisterResources GetModuleFileNameExA HttpQueryInfoW IStream_Reset QueryPerformanceCounter IStream_Read GetLastError _wtoi HttpSendRequestA RegQueryValueExA HttpSendRequestW GetFileAttributesExW analforeverlovyu.top CreateCompatibleBitmap GetCommandLineA HeapFree vswprintf CreateDCW Process32FirstA GetTempFileNameW An error occurred while starting the application (0xc000007b). To exit the application, click OK. vsnprintf GetDiskFreeSpaceExA IsWow64Process2 VirtualAlloc winsqlite3.dll GetSystemMetrics HttpQueryInfoA WriteConsoleW GetTickCount64 RemoveDirectoryW FCIDestroy SHUnicodeToAnsi GetModuleHandleA CreateMutexA CopyFileW ExtractFilesW shell32.dll FindNextFileW WSACleanup MoveFileExW FindNextFileNameW swprintf GetVolumeInformationW URLOpenBlockingStreamW MessageBoxW GetNativeSystemInfo CreateFileW listen InternetCrackUrlA VirtualProtectEx /index.php InternetCloseHandle /gate.php wininet.dll DeleteFileA GetKeyboardLayoutList GetComputerNameW CreateToolhelp32Snapshot DeleteDC curl/8.0.1 RmGetList \ServiceData WriteConsoleA POST GetUserDefaultLocaleName InternetConnectW Desktop CreateDirectoryA FindNextFileNameA GetEnvironmentVariableA inet_addr EnumDisplaySettingsW HeapAlloc CreateFileMappingA GdipLoadImageFromFile InternetOpenA _vscwprintf bind LoadLibraryA ShellExecuteW GdiplusStartup HTTPS GetProcessId GetDriveTypeW GetSystemWow64DirectoryW GetDiskFreeSpaceExW CreateProcessW GetProcAddress DISPLAY Process32FirstW FileTimeToSystemTime CryptUnprotectData Process32NextA GetCommandLineW WinHttpAddRequestHeaders ExpandEnvironmentStringsW printf \ServiceData\Clip.au3 GetSystemDirectoryW HeapReAlloc Apps GetDIBits GetFileSize GetUserNameA crypt32.dll Extract socket Content-Length: %lu _vscprintf WinExec realloc WinHttpCloseHandle swprintf_s RtlGetVersion user32.dll GetModuleHandleExW UserProfile WinHttpSetOption CoUninitialize WaitForSingleObject FindFirstFileExW GetLocaleInfoA RegOpenKeyExW Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 CreateFileA CreateStreamOnHGlobal GetFileAttributesExA MapViewOfFile _swprintf GetBitmapBits FindFirstFileNameA GetDeviceCaps FCIFlushCabinet Browsers \ServiceData\Clip.exe FindFirstFileA Wallets CreateCompatibleDC InternetOpenW eihxv18sr.top CreateMutexW HTTP InternetConnectA InternetReadFileExW GetTempFileNameA ReadConsoleW ReadConsoleA LocalAppData GetComputerNameA gdiplus.dll GetSystemDirectoryA log.txt LocalFree WinHttpReceiveResponse Debug.txt strtod AppData wsprintfW GetLocalTime GetSystemWow64DirectoryA EnumDisplaySettingsA WSAGetLastError GdipGetImageEncodersSize ReadFile GlobalMemoryStatusEx /c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f CoInitialize _snprintf GetLogicalDriveStringsW WriteFile RegCloseKey RmEndSession LkgwUi /zip.php UserID.txt ReleaseMutex UnmapViewOfFile InternetCrackUrlW FCICreate CreateThread GetFileAttributesA send WSAStartup htons InternetOpenUrlA WinHttpSendRequest FCIAddFile GetModuleHandleExA CreateRemoteThreadEx OpenProcess recv GetFileSizeEx FindFirstFileExA GetModuleHandleW FreeLibrary RegQueryValueExW GetUserNameW HttpOpenRequestW StretchBlt shlwapi.dll | |||||||||||||||
4756 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
4776 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6184 | "C:\Users\admin\AppData\Local\Temp\1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe" | C:\Users\admin\AppData\Local\Temp\1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6184 | 1bf7cdb7e9e4bb12b05fac24d3b5e8756a0055898934c0afacb08e3b469e4a74.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe | executable | |
MD5:55A6592AD4D5B5B7F872EBAC29DE8148 | SHA256:63BD278B15D42D85EBD1B7C1E2C204031D2B6308E1E127626EF01C0B5E994098 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.48.23.158:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3300 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
3300 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 23.48.23.158:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6544 | svchost.exe | 40.126.32.134:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
— | — | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5496 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2112 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
eihxv18sr.top |
| malicious |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |