File name:	Set-up.exe
Full analysis:	https://app.any.run/tasks/b723ea78-39f1-4b9b-b6a1-ae07ccc74f83
Verdict:	Malicious activity
Threats:	CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 06, 2025, 11:12:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	cryptbot stealer antivm crypto-regex
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 9 sections
MD5:	82F12257874F42D2F2475CA1D9189E43
SHA1:	24E0E7493E9BCC17D4858F350C6A6694F4A5ACC5
SHA256:	B75AAEDF296EC3B596C58573077667F403ED73B18EC052ED9B68B21414671A72
SSDEEP:	98304:sPg4ho/86VLyj/OwBJT1R/okfDHbWYjspaQrzkLrCh5s024d4Z6WcHGRUmXPikNN:aDNARI

.exe	\|	InstallShield setup (48.1)
.exe	\|	Win32 Executable MS Visual C++ (generic) (34.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.3)
.exe	\|	Win32 Executable (generic) (5)
.exe	\|	Generic Win/DOS Executable (2.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:06 04:54:11+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.4
CodeSize:	5416960
InitializedDataSize:	7742464
UninitializedDataSize:	12800
EntryPoint:	0x14a0
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6916) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6916) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6916) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(6916) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(6916) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1

PID	Process	Filename		Type
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF142912.TMP		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF142912.TMP		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF142912.TMP		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF142931.TMP		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF142941.TMP		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
6916	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
204	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
204	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6516	Set-up.exe	GET	200	34.147.147.173:80	http://home.thirttj13vs.top/gbVspuhpvozlydclqfRi1736138767?argument=7g54Ln46PTPmJqmW1736161967	unknown	—	—	unknown
6516	Set-up.exe	POST	200	34.147.147.173:80	http://thirttj13vs.top/v1/upload.php	unknown	—	—	malicious
6516	Set-up.exe	POST	200	34.147.147.173:80	http://home.thirttj13vs.top/gbVspuhpvozlydclqfRi1736138767	unknown	—	—	malicious
—	—	GET	—	142.250.185.100:443	https://www.google.com/async/ddljson?async=ntp:2	unknown	—	—	—
6516	Set-up.exe	POST	200	34.147.147.173:80	http://thirttj13vs.top/v1/upload.php	unknown	—	—	malicious
—	—	GET	—	142.250.185.100:443	https://www.google.com/async/newtab_promos	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
204	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	unknown
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.227.202:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6516	Set-up.exe	50.19.58.113:443	httpbin.org	AMAZON-AES	US	unknown
4712	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
204	svchost.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
www.bing.com	2.23.227.202 2.23.227.205 2.23.227.208 2.23.227.221	whitelisted
google.com	142.250.185.206	whitelisted
httpbin.org	50.19.58.113 3.210.94.60 34.200.57.114 34.197.122.172	unknown
crl.microsoft.com	2.16.164.49 2.16.164.72	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
home.thirttj13vs.top	34.147.147.173	malicious
thirttj13vs.top	34.147.147.173	malicious
clientservices.googleapis.com	216.58.212.163	whitelisted
accounts.google.com	74.125.206.84	whitelisted

PID	Process	Class	Message
6516	Set-up.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
6516	Set-up.exe	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
6516	Set-up.exe	A Network Trojan was detected	ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
6516	Set-up.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
6516	Set-up.exe	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
6516	Set-up.exe	A Network Trojan was detected	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
6516	Set-up.exe	A Network Trojan was detected	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
6516	Set-up.exe	A Network Trojan was detected	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

General Info

Set-up.exe

82F12257874F42D2F2475CA1D9189E43

24E0E7493E9BCC17D4858F350C6A6694F4A5ACC5

B75AAEDF296EC3B596C58573077667F403ED73B18EC052ED9B68B21414671A72

98304:sPg4ho/86VLyj/OwBJT1R/okfDHbWYjspaQrzkLrCh5s024d4Z6WcHGRUmXPikNN:aDNARI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

CRYPTBOT mutex has been found

CRYPTBOT has been detected (SURICATA)

Actions looks like stealing of personal data

Connects to the CnC server

Uses Task Scheduler to run other applications

SUSPICIOUS

Searches for installed software

There is functionality for VM detection VirtualBox (YARA)

Reads security settings of Internet Explorer

The process executes via Task Scheduler

Found regular expressions for crypto-addresses (YARA)

Executes application which crashes

INFO

Checks supported languages

Reads CPU info

Reads the machine GUID from the registry

Drops encrypted VBS script (Microsoft Script Encoder)

Reads the computer name

Application launched itself

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Create files in a temporary directory

Process checks computer location settings

The process uses the downloaded file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings