CryptBot Malware Analysis
Reverse Engineering CryptBot Malware, a Windows-based Trojan infostealer developed in C/C++.
CryptBot Malware Analysis
Overview
CryptBot is a Windows-based Trojan malware first discovered in the wild in December 2019. It belongs to the prolific category of information stealers, whose primary objective is to gather sensitive data from infected devices and exfiltrate it to threat actors. This includes credentials, cryptocurrency wallets, browser data, and system information.
According to a detailed report from Darktrace, CryptBot draws inspiration from earlier infostealers like ZeuS (discovered in 2006). After ZeuS’s source code leaked, variants proliferated, and infostealers have since become a staple in cybercrime. In recent months, SOC (Security Operations Center) teams have observed multiple infections across customer bases involving similar stealers.
Key characteristics of CryptBot:
- Distribution Methods: Often spread via cracked software, fake updates, or malvertising campaigns.
- Capabilities: Steals browser cookies, saved passwords, cryptocurrency wallet data, screenshots, and keystrokes. It also checks for admin privileges and God Mode in Windows.
- Evasion Techniques: Uses packing, string encryption, and dynamic configuration to avoid detection.
- Impact: Targets individuals and organizations for financial gain, often leading to identity theft or ransomware follow-ups.
Analysis
Activities
Activity Dynamics
The following graph illustrates the dynamic behavior of CryptBot during infection, including initial execution, data collection, and exfiltration phases. The data took from MalwareHunter’s infographic.
Malicious Infrastructure Growth Dynamics
This detailed graph shows the growth of CryptBot’s command-and-control (C2) infrastructure over time, highlighting domain registrations and IP changes.
- Trends: Rapid domain cycling to avoid blacklisting.
- Indicators: High volume of short-lived domains like
.topTLDs.
Programming Language
Based on the unpacked sample and the function declarations, revealed during the analysis by IDA Pro, the malware is written in C/C++. This is evident from low-level API calls, string handling, and memory management patterns observed in the disassembled code.
Static Analysis
Static analysis reveals CryptBot’s configuration parsing, string obfuscation, and data theft routines. The malware uses UTF-16LE encoded strings and bracketed formats like [<Variable>] for config variables (e.g., [<Bitcoin>] for wallet data).
Configuration Parsing Snippet
Here’s a NASM snippet showing config parsing. Note the use of bracketed tags for variables like Process, Screenshot, and Key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
.rdata:004AC220 asc_4AC220: ; DATA XREF: sub_417E4C+142A↑o
.rdata:004AC220 text "UTF-16LE", '[<',0
.rdata:004AC226 aProcess db 'Process:',0
.rdata:004AC22F align 10h
.rdata:004AC230 text "UTF-16LE", '>]',0
.rdata:004AC236 align 4
.rdata:004AC238 a1: ; DATA XREF: sub_417E4C:loc_41934E↑o
.rdata:004AC238 ; sub_4599AD+3B↑o ...
.rdata:004AC238 text "UTF-16LE", '1',0
.rdata:004AC23C align 10h
.rdata:004AC240 asc_4AC240: ; DATA XREF: sub_417E4C+1592↑o
.rdata:004AC240 text "UTF-16LE", '[<',0
.rdata:004AC246 aScreenshot db 'Screenshot',0
.rdata:004AC251 align 2
.rdata:004AC252 db '>',0
.rdata:004AC254 db ']',0
.rdata:004AC256 align 4
.rdata:004AC258 a2 db '2',0 ; DATA XREF: sub_417E4C:loc_41941B↑o
.rdata:004AC25A align 10h
.rdata:004AC260 asc_4AC260: ; DATA XREF: sub_417E4C+166D↑o
.rdata:004AC260 text "UTF-16LE", '[<',0
.rdata:004AC266 aKey_0 db 'Key',0
.rdata:004AC26A db 0
.rdata:004AC26B db 3Eh ; >
.rdata:004AC26C db 0
.rdata:004AC26D db 5Dh ; ]
.rdata:004AC26E db 0
.rdata:004AC26F db 0
- Explanation: These strings are used to tag stolen data in exfiltrated payloads. The malware constructs formatted output like
[<Process:>]before sending.
Privilege Checks
The malware checks for Windows God Mode (a hidden feature for advanced settings) and admin privileges.
God Mode is a (clearly exaggerated) term for a folder that contains links to all kinds of system settings directly on your desktop (or wherever you choose to create it). Despite its intimidating name, God Mode is very easy to set up, and there’s almost no risk to it, aside from making important settings easily accessible.
- God Mode Check: References to
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}indicate attempts to access elevated features. - Admin Check: Uses API calls like
IsUserAnAdmin()to determine escalation needs.
Interesting Strings (Wallet Extensions)
CryptBot targets crypto wallets via browser extensions. Here’s a snippet showing hardcoded extension IDs and names.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
.rdata:004A43F0 asc_4A43F0: ; DATA XREF: sub_401000+1E↑o
.rdata:004A43F0 ; sub_401887+1E↑o ...
.rdata:004A43F0 text "UTF-16LE", '[<',0
.rdata:004A43F6 aFhbohimaelbohp db 'fhbohimaelbohpjbbldcngcnapndodjp',0 ; Extension ID for a wallet
.rdata:004A4417 align 4
.rdata:004A4418 text "UTF-16LE", '>]',0
.rdata:004A441E align 10h
.rdata:004A4420 asc_4A4420: ; DATA XREF: sub_401000+28↑o
.rdata:004A4420 ; sub_4011E0+134↑o ...
.rdata:004A4420 text "UTF-16LE", '[<',0
.rdata:004A4426 aGuarda db 'Guarda',0 ; Wallet name: Guarda
.rdata:004A442D align 2
.rdata:004A442E db '>',0
.rdata:004A4430 db ']',0
.rdata:004A4432 align 10h
.rdata:004A4440 asc_4A4440: ; DATA XREF: sub_401000+32↑o
.rdata:004A4440 ; sub_401887+32↑o ...
.rdata:004A4440 text "UTF-16LE", '[<',0
.rdata:004A4446 aHpglfhgfnhbgpj db 'hpglfhgfnhbgpjdenjgmdgoeiappafln',0 ; Extension ID
.rdata:004A4467 align 4
.rdata:004A4468 text "UTF-16LE", '>]',0
.rdata:004A446E align 10h
.rdata:004A4470 asc_4A4470: ; DATA XREF: sub_401000+3C↑o
.rdata:004A4470 ; sub_401887+3C↑o ...
.rdata:004A4470 text "UTF-16LE", '[<',0
.rdata:004A4476 aCoin98 db 'Coin98',0 ; Wallet name: Coin98
.rdata:004A447D align 2
.rdata:004A447E db '>',0
.rdata:004A4480 db ']',0
.rdata:004A4482 align 10h
.rdata:004A4490 asc_4A4490: ; DATA XREF: sub_401000+46↑o
.rdata:004A4490 ; sub_401887+46↑o ...
.rdata:004A4490 text "UTF-16LE", '[<',0
.rdata:004A4496 aAeachknmefphep db 'aeachknmefphepccionboohckonoeemg',0 ; Extension ID
.rdata:004A44B7 align 4
.rdata:004A44B8 text "UTF-16LE", '>]',0
.rdata:004A44BE align 10h
.rdata:004A44C0 asc_4A44C0: ; DATA XREF: sub_401000+50↑o
.rdata:004A44C0 ; sub_401190+14↑o ...
.rdata:004A44C0 text "UTF-16LE", '[<',0
.rdata:004A44C6 aMath db 'Math',0 ; Wallet name: Math
.rdata:004A44CB align 4
.rdata:004A44CC text "UTF-16LE", '>]',0
.rdata:004A44D2 align 10h
.rdata:004A44E0 asc_4A44E0: ; DATA XREF: sub_401000+5A↑o
.rdata:004A44E0 ; sub_401887+5A↑o ...
.rdata:004A44E0 text "UTF-16LE", '[<',0
.rdata:004A44E6 aAfbcbjpbpfadlk db 'afbcbjpbpfadlkmhmclhkeeodmamcflc',0 ; Extension ID
.rdata:004A4507 align 4
.rdata:004A4508 text "UTF-16LE", '>]',0
.rdata:004A450E align 10h
.rdata:004A4510 asc_4A4510: ; DATA XREF: sub_401000+64↑o
.rdata:004A4510 ; sub_401887+64↑o ...
.rdata:004A4510 text "UTF-16LE", '[<',0
.rdata:004A4516 aTronlink db 'TronLink',0 ; Wallet name: TronLink
.rdata:004A451F align 10h
.rdata:004A4520 text "UTF-16LE", '>]',0
.rdata:004A4526 align 10h
.rdata:004A4530 asc_4A4530: ; DATA XREF: sub_401000+6E↑o
.rdata:004A4530 ; sub_401887+6E↑o ...
.rdata:004A4530 text "UTF-16LE", '[<',0
.rdata:004A4536 aIbnejdfjmmkpcn db 'ibnejdfjmmkpcnlpebklmnkoeoihofec',0 ; Extension ID
.rdata:004A4557 align 4
.rdata:004A4558 text "UTF-16LE", '>]',0
.rdata:004A455E align 10h
.rdata:004A4560 asc_4A4560: ; DATA XREF: sub_401000+78↑o
.rdata:004A4560 ; sub_401887+78↑o ...
.rdata:004A4560 text "UTF-16LE", '[<',0
.rdata:004A4566 aKeplr db 'Keplr',0 ; Wallet name: Keplr
- Explanation: These are bracketed tags for stealing data from specific wallets. The extension IDs correspond to Chrome Web Store entries. For example,
ibnejdfjmmkpcnlpebklmnkoeoihofecis TronLink’s ID.
Initialization and Global Setup
The malware uses _initterm for initialization. Declarations reference multiple subroutines for setup.
- Renaming for Clarity:
sub_401000renamed tomw_setup_stealer_stringsas it handles string setup for theft. This will be reflected in the code snippets below during the analysis.
Check functions retrieving globals:
The content type appears to be a struct for caching strings:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
unsigned __int8 *__thiscall sub_407C62(unsigned __int8 *this)
{
_BYTE *v2; // ebx
_BYTE *v3; // esi
int v4; // eax
int v5; // ecx
int v6; // esi
if ( *this == 0x5B )
return this + 6;
if ( !dword_4BEF24 || !dword_4BEF20 )
sub_407B97();
v2 = malloc(__CFADD__(*this, 1) ? -1 : *this + 1);
v3 = malloc(5u);
*(_DWORD *)v3 = *(_DWORD *)(this + 1);
v3[4] = this[5];
memmove_0(v2, this + 6, *this);
sub_407BF8((int)v2, *this);
v2[*this] = 0;
j___free_base(v3);
v4 = sub_407C22(v2);
v5 = dword_4BEF28;
v6 = dword_4BEF28;
if ( dword_4BEF28 < 0 )
{
LABEL_8:
*((_DWORD *)dword_4BEF24 + dword_4BEF28) = v4;
*(_DWORD *)(dword_4BEF20 + 4 * v5) = v2;
dword_4BEF28 = v5 + 1;
return v2;
}
else
{
while ( *((_DWORD *)dword_4BEF24 + v6) != v4 )
{
if ( --v6 < 0 )
goto LABEL_8;
}
j___free_base(v2);
return *(unsigned __int8 **)(dword_4BEF20 + 4 * v6);
}
}
- Explanation: This function parses and caches bracketed strings, using malloc for dynamic allocation and hashing for quick lookups.
Back to initial declarations (NASM):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
.rdata:0049837C First dd 0 ; DATA XREF: __scrt_common_main_seh(void)+71↑o
.rdata:00498380 dd offset sub_4765AF
.rdata:00498384 dd offset sub_404D91
.rdata:00498388 dd offset sub_404DCB
.rdata:0049838C dd offset sub_404DBF
.rdata:00498390 dd offset sub_404DA7
.rdata:00498394 dd offset sub_404DB3
.rdata:00498398 dd offset mw_setup_stealer_strings
.rdata:0049839C dd offset sub_401190
.rdata:004983A0 dd offset sub_4011E0
.rdata:004983A4 dd offset sub_401381
.rdata:004983A8 dd offset sub_4016C2
.rdata:004983AC dd offset sub_4017E7
.rdata:004983B0 dd offset sub_401887
.rdata:004983B4 dd offset sub_401A17
.rdata:004983B8 dd offset sub_401A67
.rdata:004983BC dd offset sub_401C08
.rdata:004983C0 dd offset sub_401F49
.rdata:004983C4 dd offset sub_40206E
.rdata:004983C8 dd offset sub_40210E
.rdata:004983CC dd offset sub_40229E
.rdata:004983D0 dd offset sub_4022EE
.rdata:004983D4 dd offset sub_40248F
.rdata:004983D8 dd offset sub_4027D0
.rdata:004983DC dd offset sub_4028F5
.rdata:004983E0 dd offset sub_402995
.rdata:004983E4 dd offset sub_402B25
.rdata:004983E8 dd offset sub_402B75
.rdata:004983EC dd offset sub_402D16
.rdata:004983F0 dd offset sub_403057
.rdata:004983F4 dd offset sub_40317C
.rdata:004983F8 dd offset sub_40321C
.rdata:004983FC dd offset sub_4033AC
.rdata:00498400 dd offset sub_4033FC
.rdata:00498404 dd offset sub_40359D
.rdata:00498408 dd offset sub_4038DE
.rdata:0049840C dd offset sub_403A03
.rdata:00498410 dd offset sub_403AA3
.rdata:00498414 dd offset sub_403CFC
.rdata:00498418 dd offset sub_403D75
.rdata:0049841C dd offset sub_403FF8
.rdata:00498420 dd offset sub_404339
.rdata:00498424 dd offset sub_40445E
.rdata:00498428 dd offset sub_4044FE
.rdata:0049842C dd offset sub_40468E
.rdata:00498430 dd offset sub_4046DE
.rdata:00498434 dd offset sub_40487F
.rdata:00498438 dd offset sub_404BC0
.rdata:0049843C dd offset sub_404CE5
.rdata:00498440 dd offset sub_404D85
- Explanation: Each pointer initializes a set of strings/tokens for specific theft categories. This modular setup allows easy updates to target new wallets or browsers.
Encryption/Decryption Routine
CryptBot uses XOR for string and config decryption. Here’s the routine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
int sub_417AD2()
{
int result; // eax
int v1; // esi
char *v2; // ecx
char *v3; // edi
_BYTE *v4; // ecx
unsigned int v5; // eax
int v6; // ecx
unsigned int v7; // [esp-8h] [ebp-14h]
int v8; // [esp+8h] [ebp-4h]
result = 0;
memset(dword_4BFC80, 0, 0x400u);
if ( a7m1fqxrljy[0] != 9 )
{
v1 = 0;
v2 = a7m1fqxrljy;
dword_4BEFA4 = 0;
v8 = 0;
do
{
v3 = &a7m1fqxrljy[result + 1];
if ( !a7m1fqxrljy[result] )
{
dword_4BFC80[v1] = (int)v2;
v2 = &a7m1fqxrljy[result + 1];
if ( !v1 )
{
if ( !*(_BYTE *)dword_4BFC80[0] )
break;
v7 = 11998 - sub_4746DB((_BYTE *)dword_4BFC80[0]);
v5 = sub_4746DB(v4);
sub_47420E(v6, v5, (int)v3, v7);
result = v8;
v2 = v3;
}
++v1;
}
if ( v1 == 200 || *(v3 - 1) == 9 && *v3 == 9 )
break;
v8 = ++result;
}
while ( result < 12000 );
dword_4BEFA4 = v1;
}
return result;
}
The core XOR function (sub_47420E):
1
2
3
4
5
6
7
void __fastcall sub_47420E(int a1, unsigned int a2, int a3, unsigned int a4)
{
unsigned int i; // esi
for ( i = 0; i < a4; ++i )
*(_BYTE *)(i + a3) ^= *(_BYTE *)(i % a2 + a1);
}
- Renamed for Clarity:
1
2
3
4
5
6
7
void __fastcall mw_xor(int arg_key, unsigned int arg_key_len, int arg_in_out, unsigned int arg_len)
{
unsigned int i; // esi
for ( i = 0; i < arg_len; ++i )
*(_BYTE *)(i + arg_in_out) ^= *(_BYTE *)(i % arg_key_len + arg_key);
}
- Explanation: This is a simple rolling XOR using a key like
7m1fqXrLJy. It decrypts config data, including C2 URLs.
IDA view of the XOR routine:
Config Decryption Example
The key 7m1fqXrLJy is hardcoded. 
Using CyberChef or similar tools:
- Extract encrypted data as hex (e.g.,
5F1945164B775D2938175E064452437606233A56500C45035F281A3C717974025E0D183D). - Convert to UTF-8.
- XOR with key
7m1fqXrLJy.
Result: Decrypted config like http://erniku42.top/gate.php;.Cookie.
Signature for key check:
1
2
B9 00 01 00 00 mov ecx, 100h
80 3D ?? ?? ?? ?? 09 cmp byte ptr a7m1fqxrljy, 9 ; "7m1fqXrLJy"
Note: Keys vary across samples; ?? represents placeholders.
Malware Configuration Extractor
This Python script extracts the encrypted config using PE parsing and XOR decryption. It’s self-contained and works on unpacked samples.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# CryptBot Configuration Extractor
# This script extracts the encrypted configuration from an unpacked CryptBot malware sample.
# It locates the XOR key and encrypted config data in the .text section of a PE file,
# decrypts the config using the identified key, and outputs the C2 address and settings.
# Dependencies: pefile, re, struct
# Usage: Replace '/tmp/cryptbot.bin' with the path to your malware sample.
# Output: A dictionary containing the C2 URL and key-value settings.
import re
import pefile
import struct
file_data = open('/tmp/cryptbot.bin', 'rb').read()
pe = pefile.PE(data = file_data)
image_base = pe.OPTIONAL_HEADER.ImageBase
text_data = None
for s in pe.sections:
if b'.text' == s.Name[:5]:
text_data = s.get_data()
break
assert text_data is not None
# Regular expressions to match XOR key check instructions
# These patterns look for specific assembly instructions that reference the XOR key
eggs = [
rb'\x80\x3D(....)\x09\xB9\x00\x01\x00\x00',
rb'\xB9\x00\x01\x00\x00\x80\x3D(....)\x09'
]
candidate_offsets = []
for egg in eggs:
for m in re.finditer(egg, text_data, re.DOTALL):
try:
candidate_va = struct.unpack('<I', m.group(1))[0]
candidate_offset = pe.get_offset_from_rva(candidate_va - image_base)
candidate_offsets.append(candidate_offset)
except:
print(f"failed for group {m.group(1)}!")
pass
assert len(candidate_offsets) != 0
def xor_decrypt(data, key):
out = []
for i in range(len(data)):
out.append(data[i] ^ key[i % len(key)])
return bytes(out)
def get_config(data, offset):
key = data[offset:].split(b'\x00')[0]
assert 5 < len(key) < 20
config_data_enc = data[offset + len(key) + 1:]
return xor_decrypt(config_data_enc, key)
config_data = None
for candidate_offset in candidate_offsets:
try:
tmp_config = get_config(file_data, candidate_offset)
if tmp_config[:4] == b'http':
config_data = tmp_config
break
except:
pass
assert config_data is not None
config_array = []
for a in config_data.split(b'\x00'):
if not a.isascii():
break
config_array.append(a)
c2 = config_array[0]
settings = []
for config_entries in config_array[1:]:
for entry in config_entries.split(b'<>\r\n'):
if len(entry) == 0:
continue
settings.append({'key': entry.split(b'<>_<>')[0].decode('utf-8'),'value':entry.split(b'<>_<>')[1].decode('utf-8')})
assert len(settings) != 0
final_config = {'C2':c2, 'Settings':settings}
print(final_config)
- Usage: Replace
/tmp/cryptbot.binwith your sample path. Outputs C2 and settings dictionary. - Explanation: Searches for key signature, extracts and decrypts config. Handles variations in packing.
Running the script on a sample will yield the C2 address and configuration settings used by the malware as the following output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
{
"C2":"b""http://erniku42.top/gate.php;",
"Settings":[
{
"key":"CookiesEdge",
"value":"false"
},
{
"key":"HistoryEdge",
"value":"false"
},
{
"key":"HistoryFirefox",
"value":"false"
},
{
"key":"EdgeDB",
"value":"true"
},
{
"key":"Edge",
"value":"false"
},
{
"key":"Files",
"value":"false"
},
{
"key":"Opera",
"value":"false"
},
{
"key":"CookiesOpera",
"value":"false"
},
{
"key":"HistoryOpera",
"value":"false"
},
{
"key":"Screenshot",
"value":"true"
},
{
"key":"Chrome",
"value":"false"
},
{
"key":"Info",
"value":"true"
},
{
"key":"HistoryChrome",
"value":"false"
},
{
"key":"ChromeDB",
"value":"true"
},
{
"key":"Wallet",
"value":"true"
},
{
"key":"ChromeExt",
"value":"true"
},
{
"key":"Firefox",
"value":"false"
},
{
"key":"CookiesChrome",
"value":"false"
},
{
"key":"FirefoxDB",
"value":"true"
},
{
"key":"CookiesFirefox",
"value":"false"
},
{
"key":"Desktop",
"value":"true"
},
{
"key":"EdgeExt",
"value":"true"
},
{
"key":"CookiesFile",
"value":"_AllCookies.txt"
},
{
"key":"HistoryFile",
"value":"_AllHistory.txt"
},
{
"key":"NTFS",
"value":"true"
},
{
"key":"Key",
"value":"NkB7vazOVtAR2LZ"
},
{
"key":"DesktopFolder",
"value":"_Desktop"
},
{
"key":"UAC",
"value":"false"
},
{
"key":"ScreenFile",
"value":"$CREEN.PNG"
},
{
"key":"DeleteAfterEnd",
"value":"true"
},
{
"key":"MessageAfterEnd",
"value":"false"
},
{
"key":"FirefoxDBFolder",
"value":"_Firefox"
},
{
"key":"Anti",
"value":"false"
},
{
"key":"EdgeDBFolder",
"value":"_Edge"
},
{
"key":"UserAgent",
"value":""
},
{
"key":"Prefix",
"value":"mrd-"
},
{
"key":"WalletFolder",
"value":"_Wallet"
},
{
"key":"PasswordFile",
"value":"_AllPasswords.txt"
},
{
"key":"ChromeDBFolder",
"value":"_Chrome"
},
{
"key":"ExternalDownload",
"value":"http://ovapfa05.top/unfele.dat"
},
{
"key":"FilesFolder",
"value":"_Files"
},
{
"key":"InfoFile",
"value":"_Information.txt"
}
]
}
Impersonation
An interesting finding: CryptBot impersonates legitimate software from “Dinkumware Ltd” (a C++ library provider) to blend in.
After running YARA (see below), another sample was hit: eeded5f5d006dacd9e2f33ba9fad47332c04b57f621c89731376f51127198345.
YARA Rule
This refined YARA rule detects CryptBot based on characteristic strings for system info collection. It includes more specificity and metadata.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
rule CryptBot {
meta:
description = "Detects CryptBot infostealer based on characteristic strings in its configuration or output"
triage_description = "Identifies CryptBot malware by matching strings related to system information collection, such as UID, UserName, ComputerName, and admin status"
triage_score = 8
author = "0xw43l"
date = "2025-08-15"
reference = "https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/"
hash = "7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d"
strings:
$s1 = "UID:" ascii wide
$s2 = "UserName:" ascii wide
$s3 = "ComputerName:" ascii wide
$s4 = "DateTime:" ascii wide
$s5 = "UserAgent:" ascii wide
$s6 = "Keyboard Languages:" ascii wide
$s7 = "Display Resolution:" ascii wide
$s8 = "CPU:" ascii wide
$s9 = "RAM:" ascii wide
$s10 = "GPU:" ascii wide
$s11 = "isGodMod: yes" ascii wide
$s12 = "isGodMod: no" ascii wide
$s13 = "isAdmin: yes" ascii wide
$s14 = "isAdmin: no" ascii wide
$s15 = "Installed software:" ascii wide
$xor_key = "7m1fqXrLJy" ascii // Common XOR key
condition:
uint16(0) == 0x5A4D and // PE header
all of ($s*) or
($xor_key and 10 of ($s*))
}
MITRE ATT&CK
CryptBot aligns with several MITRE ATT&CK techniques. Below is a mapping based on observed behaviors:
| Tactic | Technique ID | Technique Name | Description |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | Distributed via malvertising or fake software downloads. |
| Execution | T1204 | User Execution: Malicious File | Users execute cracked software bundles. |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys | Adds registry entries for persistence. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Checks for admin/God Mode and escalates if possible. |
| Defense Evasion | T1027 | Obfuscated Files or Information | Uses XOR encryption for strings and config. |
| Credential Access | T1555 | Credentials from Password Stores | Steals browser passwords and cookies. |
| Discovery | T1082 | System Information Discovery | Collects UID, CPU, RAM, GPU, etc. |
| Collection | T1113 | Screen Capture | Takes screenshots. |
| Collection | T1056.001 | Input Capture: Keylogging | Captures keystrokes. |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Sends data to C2 via HTTP. |
- Sources: Based on analyses from ANY.RUN, AhnLab, and MITRE mappings for infostealers. For full matrix, see MITRE ATT&CK Navigator.
IOCs
The following table consolidates Indicators of Compromise (IOCs) related to CryptBot, PrivateLoader, SmokeLoader, Amadey, Lumma, Stealc, and Redline malware, including file hashes, domains, IP addresses, ASNs, and specific URLs used for command-and-control (C2) or payload delivery. These IOCs can be used for detection, threat hunting, and mitigation in security operations.
| Value | Type | Description |
|---|---|---|
| da7fadc671804e093c7dcad3455a266e77d2c84b641ae037c70004daaa05b897 | SHA-256 | CryptBot – “Channel4.exe” |
| 8874ee4d9c878a6dc7f2681ec36df05cb09c44ccb3be0ec89569f5bdece80519 | SHA-256 | CryptBot – “66dd5fafdeab3_lyla.exe” |
| 2a5dd73271b9eabe63e7aefc5dc2ec01921ffba8bfa7ee278a2180e597c97bf7 | SHA-256 | CryptBot – “Set-up.exe” |
| 319d1dc217b7e83a85dd62cb2c066156ba5579087f11c991a99089606979ca28 | SHA-256 | PrivateLoader payload |
| 7631726b15a0cba30f88268df626df7a053c044efc78f772ade21e879cc7ae58 | SHA-256 | SmokeLoader payload |
| 7b41cabcafca0e5725c874d316f4f5f83561fa571240c0ccdd8b19034282bf41 | SHA-256 | Amadey payload |
| dfdc63994c85f7161e25a26b762835781ce5578c6a5b5c2839324fc7faa591d3 | SHA-256 | Stage2 CryptBot payload DLL |
| dfefcc62121ee76f84d382fc622b61321f149a04a848c8cb987a7bda7ca59941 | SHA-256 | Stage2 CryptBot payload DLL |
| tventyv20sb[.]top | Domain | CryptBot C2 |
| twoxv2sr[.]top | Domain | CryptBot C2 |
| analforeverlovyu[.]top | Domain | CryptBot C2 |
| thirtv13pn[.]top | Domain | CryptBot C2 |
| bdtwo2sb[.]top | Domain | CryptBot C2 |
| neiz19ht[.]top | Domain | CryptBot C2 |
| levz11ht[.]top | Domain | CryptBot C2 |
| fifxv15pn[.]top | Domain | CryptBot C2 |
| fivevd5ht[.]top | Domain | CryptBot C2 |
| sevtvd17ht[.]top | Domain | CryptBot C2 |
| rxeight8ht[.]top | Domain | CryptBot C2 |
| salvatiiywo[.]shop | Domain | Lumma C2 |
| ignoracndwko[.]shop | Domain | Lumma C2 |
| preachstrwnwjw[.]shop | Domain | Lumma C2 |
| complainnykso[.]shop | Domain | Lumma C2 |
| basedsymsotp[.]shop | Domain | Lumma C2 |
| charistmatwio[.]shop | Domain | Lumma C2 |
| grassemenwji[.]shop | Domain | Lumma C2 |
| stitchmiscpaew[.]shop | Domain | Lumma C2 |
| commisionipwn[.]shop | Domain | Lumma C2 |
| epohe[.]ru | Domain | SmokeLoader C2 |
| olihonols.in[.]net | Domain | SmokeLoader C2 |
| nicetolosv[.]xyz | Domain | SmokeLoader C2 |
| jftolsa[.]ws | Domain | SmokeLoader C2 |
| download-rarfree[.]com | Domain | Redirecting to CryptBot payloads |
| rar-uploader[.]com | Domain | Redirecting to CryptBot payloads |
| economartbd[.]com | Domain | Redirecting to CryptBot payloads |
| rarz-uploader[.]com | Domain | Redirecting to CryptBot payloads |
| adsbell[.]com | Domain | Redirecting to CryptBot payloads |
| voiceofchangeinternational[.]com | Domain | Redirecting to CryptBot payloads |
| rar-freeload[.]com | Domain | Redirecting to CryptBot payloads |
| rars-freeload[.]com | Domain | Redirecting to CryptBot payloads |
| download-rarsfree[.]com | Domain | Redirecting to CryptBot payloads |
| rarzload-official[.]com | Domain | Redirecting to CryptBot payloads |
| Chuanpupu[.]com | Domain | Redirecting to CryptBot payloads |
| techjbc[.]xyz | Domain | Redirecting to CryptBot payloads |
| papiblendz[.]com | Domain | Redirecting to CryptBot payloads |
| sarahmakesitbetter[.]com | Domain | Redirecting to CryptBot payloads |
| rivistablog[.]com | Domain | Redirecting to CryptBot payloads |
| anotherconversation[.]com | Domain | Redirecting to CryptBot payloads |
| super6-star[.]buzz | Domain | Redirecting to CryptBot payloads |
| bluelineagenciamentodecargas[.]com | Domain | Redirecting to CryptBot payloads |
| peace-motion[.]buzz | Domain | Redirecting to CryptBot payloads |
| 131ldvip[.]com | Domain | Redirecting to CryptBot payloads |
| onlineofficetutorials[.]com | Domain | Redirecting to CryptBot payloads |
| puntext[.]com | Domain | Redirecting to CryptBot payloads |
| free4pc[.]shop | Domain | Redirecting to CryptBot payloads |
| allgetintopcc[.]cfd | Domain | Redirecting to CryptBot payloads |
| techjbc[.]cfd | Domain | Redirecting to CryptBot payloads |
| sultanisback[.]pro | Domain | Redirecting to CryptBot payloads |
| filemirrormegaz[.]shop | Domain | Redirecting to CryptBot payloads |
| uznhmij5kr2307244[.]click | Domain | Redirecting to CryptBot payloads |
| afrdrctf[.]com | Domain | Redirecting to CryptBot payloads |
| up4pc[.]com | Domain | Offering fake cracked software |
| driver-booster-key[.]com | Domain | Offering fake cracked software |
| securecracked[.]info | Domain | Offering fake cracked software |
| filecrr[.]org | Domain | Offering fake cracked software |
| soft98[.]org | Domain | Offering fake cracked software |
| haxpc[.]net | Domain | Offering fake cracked software |
| muzamilpc[.]com | Domain | Offering fake cracked software |
| alphasofts[.]net | Domain | Offering fake cracked software |
| preactivated[.]net | Domain | Offering fake cracked software |
| mycrackfree[.]com | Domain | Offering fake cracked software |
| drapk[.]net | Domain | Offering fake cracked software |
| rgames31[.]com | Domain | Offering fake cracked software |
| windows-7-activator[.]com | Domain | Offering fake cracked software |
| modcrack[.]net | Domain | Offering fake cracked software |
| office-activator[.]com | Domain | Offering fake cracked software |
| official-kmspico[.]com | Domain | Offering fake cracked software |
| kmspico[.]ws | Domain | Offering fake cracked software |
| kmspicoofficial[.]com | Domain | Offering fake cracked software |
| windows4pc[.]com | Domain | Offering fake cracked software |
| windowsprodcutkey[.]com | Domain | Offering fake cracked software |
| activationkeysfree[.]org | Domain | Offering fake cracked software |
| serialhax[.]org | Domain | Offering fake cracked software |
| bcrack[.]org | Domain | Offering fake cracked software |
| crack4tech[.]org | Domain | Offering fake cracked software |
| crackedaxe[.]com | Domain | Offering fake cracked software |
| crackingcity[.]org | Domain | Offering fake cracked software |
| crackspc[.]net | Domain | Offering fake cracked software |
| fileserialkey[.]net | Domain | Offering fake cracked software |
| fullycracksoft[.]com | Domain | Offering fake cracked software |
| ifree4pc[.]net | Domain | Offering fake cracked software |
| productkeysfree[.]org | Domain | Offering fake cracked software |
| tech4pc[.]org | Domain | Offering fake cracked software |
| winows4pc[.]com | Domain | Offering fake cracked software |
| 4mirrorpc[.]net | Domain | Offering fake cracked software |
| drfiles[.]net | Domain | Offering fake cracked software |
| haxacademy[.]net | Domain | Offering fake cracked software |
| crackfullpc[.]org | Domain | Offering fake cracked software |
| crackmacs[.]org | Domain | Offering fake cracked software |
| crackmarkets[.]com | Domain | Offering fake cracked software |
| pesktop[.]org | Domain | Offering fake cracked software |
| crackpcsoft[.]org | Domain | Offering fake cracked software |
| crackdownloads[.]org | Domain | Offering fake cracked software |
| iup4pc[.]net | Domain | Offering fake cracked software |
| crackingpc[.]net | Domain | Offering fake cracked software |
| downloadvst[.]com | Domain | Offering fake cracked software |
| licensedfull[.]com | Domain | Offering fake cracked software |
| vstcrackpc[.]com | Domain | Offering fake cracked software |
| vstpropc[.]com | Domain | Offering fake cracked software |
| vstdownload[.]org | Domain | Offering fake cracked software |
| activationskey[.]com | Domain | Offering fake cracked software |
| allmacworld[.]net | Domain | Offering fake cracked software |
| cracked-minecraft[.]com | Domain | Offering fake cracked software |
| crackedvpn[.]com | Domain | Offering fake cracked software |
| crackfix[.]net | Domain | Offering fake cracked software |
| crackfullkeys[.]com | Domain | Offering fake cracked software |
| crackfullpc[.]net | Domain | Offering fake cracked software |
| cracksecure[.]com | Domain | Offering fake cracked software |
| cracksoftpro[.]com | Domain | Offering fake cracked software |
| crackswatch[.]com | Domain | Offering fake cracked software |
| crackvstpc[.]com | Domain | Offering fake cracked software |
| downloadworld[.]org | Domain | Offering fake cracked software |
| fullidmcrack[.]com | Domain | Offering fake cracked software |
| fullproductkeys[.]com | Domain | Offering fake cracked software |
| idmfreedownload[.]net | Domain | Offering fake cracked software |
| idmfullcrack[.]info | Domain | Offering fake cracked software |
| idmpatchdownload[.]com | Domain | Offering fake cracked software |
| idmpatched[.]com | Domain | Offering fake cracked software |
| idmpc[.]co | Domain | Offering fake cracked software |
| igetintopc[.]com[.]pk | Domain | Offering fake cracked software |
| kanjupc[.]com | Domain | Offering fake cracked software |
| keyproductkey[.]com | Domain | Offering fake cracked software |
| licensekey[.]cc | Domain | Offering fake cracked software |
| macsoftkey[.]com | Domain | Offering fake cracked software |
| naveedcrack[.]com | Domain | Offering fake cracked software |
| office4pc[.]com | Domain | Offering fake cracked software |
| pc4download[.]com | Domain | Offering fake cracked software |
| pcbank[.]org | Domain | Offering fake cracked software |
| pccrack[.]org | Domain | Offering fake cracked software |
| pcdrives[.]org | Domain | Offering fake cracked software |
| pcexe[.]net | Domain | Offering fake cracked software |
| pcsoftcrack[.]net | Domain | Offering fake cracked software |
| pdffree[.]net | Domain | Offering fake cracked software |
| pluginstorrent[.]net | Domain | Offering fake cracked software |
| premiumpc[.]net | Domain | Offering fake cracked software |
| premiumpc[.]org | Domain | Offering fake cracked software |
| procracked[.]org | Domain | Offering fake cracked software |
| procrackwin[.]com | Domain | Offering fake cracked software |
| productkeycrack[.]com | Domain | Offering fake cracked software |
| productkeyspc[.]com | Domain | Offering fake cracked software |
| productskey[.]org | Domain | Offering fake cracked software |
| prolicensefree[.]com | Domain | Offering fake cracked software |
| proserialcrack[.]com | Domain | Offering fake cracked software |
| proserialfree[.]com | Domain | Offering fake cracked software |
| provstpc[.]com | Domain | Offering fake cracked software |
| pubgcrack[.]net | Domain | Offering fake cracked software |
| rootcracks[.]com | Domain | Offering fake cracked software |
| sadeempc[.]info | Domain | Offering fake cracked software |
| securecracked[.]info | Domain | Offering fake cracked software |
| seriakkeyforfree[.]com | Domain | Offering fake cracked software |
| softsmac[.]net | Domain | Offering fake cracked software |
| softwarein1[.]com | Domain | Offering fake cracked software |
| softwarekeep[.]info | Domain | Offering fake cracked software |
| starcracked[.]net | Domain | Offering fake cracked software |
| startcrack[.]info | Domain | Offering fake cracked software |
| topfullcrack[.]com | Domain | Offering fake cracked software |
| topfullkeys[.]com | Domain | Offering fake cracked software |
| torrent4pc[.]com | Domain | Offering fake cracked software |
| torrentpc[.]org | Domain | Offering fake cracked software |
| vst4cracked[.]com | Domain | Offering fake cracked software |
| vst4pc[.]com | Domain | Offering fake cracked software |
| vstfree[.]org | Domain | Offering fake cracked software |
| vstfreedownload[.]com | Domain | Offering fake cracked software |
| vstfullpc[.]com | Domain | Offering fake cracked software |
| vstpc[.]com | Domain | Offering fake cracked software |
| vstpluginsdownload[.]org | Domain | Offering fake cracked software |
| vstzip[.]com | Domain | Offering fake cracked software |
| wincrackbox[.]com | Domain | Offering fake cracked software |
| soft-got[.]org | Domain | Offering fake cracked software |
| 185.244.181[.]38 | IPv4 | CryptBot C2 |
| 81.94.159[.]120 | IPv4 | CryptBot C2 |
| 103.130.147[.]211 | IPv4 | Hosting malwares |
| 147.45.44[.]104 | IPv4 | Hosting malwares - Operated by PrivateLoader |
| 31.41.244[.]9 | IPv4 | Hosting malwares - Operated by PrivateLoader |
| 176.111.174[.]109 | IPv4 | Hosting malwares - Operated by PrivateLoader |
| 147.45.47[.]169 | IPv4 | PrivateLoader C2 |
| 212.113.116[.]202 | IPv4 | PrivateLoader C2 |
| 62.133.61[.]172 | IPv4 | PrivateLoader C2 |
| 45.91.200[.]135 | IPv4 | PrivateLoader C2 |
| 92.246.139[.]82 | IPv4 | PrivateLoader C2 |
| 185.215.113[.]16 | IPv4 | Amadey C2 |
| 185.215.113[.]19 | IPv4 | Amadey C2 |
| 185.215.113[.]17 | IPv4 | Stealc C2 |
| 91.202.233[.]158 | IPv4 | Stealc C2 |
| 185.215.113[.]67 | IPv4 | Redline C2 |
| 65.21.18[.]51 | IPv4 | Redline C2 |
| 215789 | ASN | “Karina Rashkoska” |
| 214927 | ASN | “PSB HOSTING LTD” |
| 210644 | ASN | “Aeza International Ltd” |
| 216246 | ASN | “Aeza Group Ltd.” |
| 51381 | ASN | “1337TEAM LIMITED” |
| 60424 | ASN | “1337TEAM LIMITED” |
| 56873 | ASN | “1337TEAM LIMITED” |
| 39770 | ASN | “1337TEAM LIMITED” |
| 200593 | ASN | “PROSPERO OOO” |
URLs
The following URLs are associated with CryptBot C2 or payload delivery:
- http://home.eightji8ht.top/KTGbGvOSGlkPaQeuKdDL1572982449
- http://home.eightjo8sr.top/aCrmSMJLJEOsinOjzktg1889307302
- http://home.eightjo8vt.top/APWuDeoyrwjlLWFqpzlR1427917304
- http://home.eightjo8vt.top/GZAiWBsUWZXSjptiVgki1273022183
- http://home.eightjp8ht.top/FlchnxzGeSIHRPHPeYBm1318897305
- http://home.eightjp8vs.top/GyoNxLolJLOIDEEeLXwl1239497306
- http://home.eightjp8vs.top/feCIlgpoToBMdGHZfMGS1673054910
- http://home.eleja11sb.top/sSWxMfiKsjZhqgwqlqVX1737823123
- http://home.elevji11ht.top/XmQBHJYvyxRHnDxzxNoj124497298
- http://home.fiveji5ht.top/KlekgDAXLoeekVhmYBHz1732002979
- http://home.fiveji5ht.top/daxtYswdSfyAXDsFwHuK1726572986
- http://home.fiveji5ht.top/sYxNRoYrKJVZJBDMKRQb1729750322
- http://home.fiveji5vs.top/nGdZCFwukcqnsrEfVnqT1732922995
- http://home.fiveji5vt.top/NEpdjvSGIHCSlQWulCHt1776642968
- http://home.fivejo5sr.top/JNzvTWFWHwIXwNBdDJiw1743043030
- http://home.fivejo5sr.top/bTMlLHJsULflKiuhSKNo1745983026
- http://home.fivejo5vt.top/WTAjeFpNiEIhCJndAXAf1714163020
- http://home.fivejo5vt.top/bLeFEuIyIOOFgvRzlwsw1730462437
- http://home.fivejo5vt.top/jQDBoCTTJMoxHduEQtVi1718333022
- http://home.fivejo5vt.top/zViguzTHOAJchzMFSLOa1730123672
- http://home.fivejp5vs.top/WMIfiIbwGZlEzunsPmAm1791043054
- http://home.fivejp5vs.top/gEHGWhRNbwRFXwunSKCi1794913063
- http://home.fivjp5vt.top/GpXJRdeQulqmvESjfFlL1730790181
- http://home.fivjp5vt.top/MzxdLTzahBhrwcHfikEE1730826262
- http://home.forjh4ht.top/wGcuvRVzmafViJJtVGWe1729706625
- http://home.forji14vs.top/SRmkbXbtICjnsFSsyIIU1719933008
- http://home.forji14vs.top/vLzEmBxYDkDWwAHlJbwm1756532992
- http://home.forjo14vt.top/vZEhEBivXldclXHuMstz1714163020
- http://home.forpz4ht.top/cQOBChluQKBYyXAKOlUj1729771262
- http://home.neinja9ht.top/LQEGldMWvlStBQQIEVyV1797523097
- http://home.neinja9ht.top/xplvzowOfiYMuqANrGoq1730957812
- http://home.neinjo9vt.top/TCEdaQJXYbawpvRtmzAl1724603017
- http://home.neinjo9vt.top/fcOoKJiqkEdEfaSKlDpf1730221830
- http://home.neinjp9sr.top/VQZWuwklsiAqwKSHENhk1730865247
- http://home.ninjo19vs.top/kbrGrXsSXkmNPHYxWled1730607975
- http://home.oneji1vt.top/yYwXoctNQsNlxniaRRXW1729687663
- http://home.onejo1vs.top/VlQbIzlsEdAqLBFZBoYY1734910639
- http://home.onejo1vs.top/rwucRRJvgOJMYBxNQZTH1731060549
- http://home.onejo1vt.top/TgyonuAhQqHmRNCTtLXO1730221831
- http://home.onejo1vt.top/VBkFCJscNZobpQzbgGkx1736750123
- http://home.onejo1vt.top/pgpVedqwyWTKdnDvLton1739150427
- http://home.onejp1ht.top/EydgSnlRvnipiEFgnals1733640997
- http://home.onejp1ht.top/wjfslbMBCTjPKLMdHjMB1739381071
- http://home.onejp1vt.top/WVWXLEBFUCjXpjDFcYnq1730826262
- http://home.sevja17sb.top/LMiwiyYekyuSDTCvLbPv1765833112
- http://home.sevja17sb.top/ZsSuJntZcwEFCFkTKSrm1784413120
- http://home.sevjoi17ht.top/RZveVhltLlnLSesEiEKb1573051889
- http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs1204307303
- http://home.sevjoi17vt.top/FhmmyqGhAphHaXwiJfvm1273042791
- http://home.sevjoi17vt.top/cZQSdrLXfSobDdFnqveX1701417302
- http://home.sevjp17vt.top/UDnaUWBbCguivjcJTAFI1730790183
- http://home.sevtji17vt.top/AtMFEEDPmrFgjjlYWVjB1487667296
- http://home.sivji6ht.top/nQOeaKPXEODJmfbxNDgw1726939767
- http://home.sivjo6vt.top/NkVbPqNMrXCEggsfRWGb1734600172
- http://home.sivjo6vt.top/RLcrqDvFJmGzdgZTXBGX1734380462
- http://home.sivjo6vt.top/ltLNFctqJMohaGeCvuMv1738320221
- http://home.sivjp6ht.top/lBxeEWboCtkXsZBdYMeP1738950518
- http://home.sixjp6sr.top/jtrLzFxhLfniIyrmfEOG1737810904
- http://home.sixtlm16ht.top/nbGcgYkZqJUuAbjyAxww1567697297
- http://home.sixtlm16sr.top/TGHTqHPiFFfksEXbQHwc1509887296
- http://home.tenja10ht.top/IGVMsWdjbQifeqDGdLik1778133095
- http://home.tenji10ht.top/MVPXmuUIFAQLfQdTpqGi1776942976
- http://home.tenjo10ht.top/FXpkGDyUTRqQxEvMSiPD1764033034
- http://home.tenjo10vt.top/paKURpJFxJCnukXyqZrN1779133042
- http://home.tenjp10vs.top/SFyYktVKDQBaqLympWfA1794923063
- http://home.thirtji13ht.top/MwOBqdodAGbyXMofAyrU5986261729
- http://home.thirtjo13sr.top/bYcMGmpHJcbGkomonWsU0126461730
- http://home.thirtjo13vt.top/FMmMtBkQtjnpYGvmAcfX3322181730
- http://home.thirtjo13vt.top/rvAMJqturkAmDaZoTnSo7412361730
- http://home.thirtjo13vt.top/xaDSPDgkqKmDlPNoQLbs1617302014
- http://home.tventji20ht.top/axNhXgnGYoPSgajZFkaQ5917298626
- http://home.tventji20vs.top/NWYJPzCYEvZpxoyKvBIK9295321729
- http://home.tventjo20sr.top/pLDNcrnQYnSceQqdUDvf0117302646
- http://home.tventjo20vs.top/SOMOJyZWYBxdybbmZeaW1270101730
- http://home.tventjo20vs.top/lwRwtEGztSQcWvXoArFS9063941730
- http://home.tventjo20vt.top/FjnNAcVhtuMKyKxfgwGc3022181730
- http://home.tventjo20vt.top/fExmNYmMwsMkeOPpBLzG1620141730
- http://home.tventjo20vt.top/ztcbHfsrgDVbKwvjMmcq7417301236
- http://home.tventjp20vt.top/julfUeXzXwHcgsxxhkmr6282621730
- http://home.twelja12sb.top/JLEncoVUzpBxNKNLrTYV1908437312
- http://home.twelja12sb.top/xKCOYZtRPmSqQvpgghZS1526587311
- http://home.twelji12ht.top/OsLGYXbzmZdjCMhTnuGb1972979319
- http://home.twelji12ht.top/VqfNYMmqQHyFNagmJCit1767697297
- http://home.twelji12ht.top/wUjNbZBIqtyGhfPTmpke1862657298
- http://home.twelji12vs.top/YKVZcYkIJkgPraRfOHBr1173008199
- http://home.twelji12vs.top/flyGQWUPyIQmXYOpcFMz1866977299
- http://home.twelji12vs.top/nXZUoCnprUWelKqFYScP1053297299
- http://home.tweljo12ht.top/SHfUuTYBULkoesjZJfWj1573051889
- http://home.tweljo12sr.top/AoVYhzVxzHmClkVkBHzK1964597302
- http://home.tweljo12sr.top/GDHlEMZKhUWZBxtHkRwh1573028930
- http://home.tweljo12sr.top/UPMCpUyoKEyLghAHklgZ1473030430
- http://home.tweljo12vs.top/GGjrrjEDEWQrYYIQCiSz1549107305
- http://home.tweljo12vs.top/awDRkLatDdHoLFjLkaTk1173065362
- http://home.tweljo12vt.top/GEZFdXtInPnroqnCxvvX1223677301
- http://home.tweljo12vt.top/OSVrAwHTMqXZwPLPhTMW1773013581
- http://home.tweljo12vt.top/UrZpabYUoOYCIETTggQp1273022183
- http://home.tweljp12ht.top/HoQpbeizPhmxJmnjugER1397367309
- http://home.tweljp12ht.top/QPoNBSMGOKYXiKKSXopP1257817309
- http://home.tweljp12ht.top/gwWsuyjcKfHgnGByabIj1771937310
- http://home.tweljp12ht.top/nQVpoVTlTakzyXMzpriM1279757309
- http://home.tweljp12vt.top/TLkmyWUrcoKSfuQMaKSm1173082626
- http://home.tweljp12vt.top/VszWEchGCZleshrQkPDo1986927307
Sample Files (Downloader SHA-256 Hashes)
The following is a list of downloader samples associated with CryptBot and related malware:
- 001ba21803795a450eac7e26fd14a1ae2ef32a5bad5e30b4dd765aad0e5ce7fe
- 01eff957b996465538f0e6a79791b1e7e551c2cb2d0e5c259bdc4ae3b13f48d6
- 02c7c64a8e5e65f6cd16f32bb9b1a4ac975b7479ffff638a2bb085b13825cab5
- 03e37248166df72e91aeb9640513d5a53ec449da4441af43263b447dbd38408b
- 051084d7828f88b80d0ae27fdd3c4baebba7fc82a916f8e7ce6376daf548cc20
- 08be4b7219442aadc19810463457dbd7bab6699f4de6e4dc00617d3429bd5b8c
- 0ad7e833d526131900916008913dec998360ee6d1a9aacf3997602e1cfc1c3e3
- 0f0c0fd81a7f69e33f27f920d639b4aa79c13a74f49231a756f41c3e94f206ab
- 1038bd204447881ed29e44f2288512d14745ad4a9acb1f9c26fbf388f002f9b8
- 12fa7b47d20f0f21ffeb0981eec1d017f377c9539a4d3ad3fca57897c6f5dfdf
- 14fcb1e15c8aae420a36ca53373b062b388605409cf3823642f217643126f07c
- 15b29945c813d2270d4a690719f319e79cda70c1cec2081cba3f05e80b3a549f
- 166421573e82a6a9ba03c7d10167bdb209fd4197305a719ab78b4c2918d69084
- 175957c7b7548858c963338e402325ae2bb249f7cd08d23c3e373b32a68d3b19
- 18b9b073f44dc79731988397997f8875aaf0025f17f89300ca16205b17c0ea35
- 199c28e2ac8b8cf866190c0733c9c010815b86e1eb842f3a9cfa43a73e05491d
- 1d346dcbb0a210552c6da5b8fe300c872b04b8aab052803baeb9f99d9062ad72
- 1f14b8a84d6052e40f434e310716c6a19b5604e194fb3a220d6f156a0cf4a7ff
- 23e7abfa4bbbaf8a8ff8afe139dd1874c4d1aba4826fc462da718ea2147c8c95
- 25e4f9e539d7e0461c55d4b4fa178c1cbb06760139e360da65648d777f118ca0
- 27b7915bbef99f765bee8aaa35f232a488c63138e7c0941da9a27d0057c92af6
- 2b1f016f12fef7124ea7c9898622e650e53814f2d5ff4d76fa712c3e591f9a7f
- 2bf5e06148f88f0ac9a1a33c9fc5b63b7ce65272fa4a234360600732df185007
- 30999b396ce17abf02b7bfb537222186a87c1554a1b9521bfb39dbee45a30288
- 30f0d55b444e180378dfa467bf13b5067b8faba7bc950b4765bb7dbc44ce3ce4
- 32eefa7f0b2893364c0de189b0c8a509ade84a07a463d6a1802c218f0dbb5817
- 332c1b9ad302388edf687fa6a4d8d5ca59dc609aac9215f8d5d8e659af6c615b
- 340d2dc26004646c86973f257b27d0d79491b652b02cc97f9149538cc2b65691
- 362f40028c50b3f13ea8e3ad2096e94ae325a53306d71263e4468101addf765e
- 3668b6e8b80edd909860784c326609470a1655c029dc797dbdceea92a81c83b2
- 3a378046ce52ea095ce8c5ec6aacabb98d73034fbe208dd298cdc75ad3dcfe8e
- 3accb1c82e64cdfce5d0aacd0093f71727575db426f75b77b6c98869c478ec27
- 465a1cefe61446110cc521d376651a5074fb87295da5fd64bd74fd25cbab669b
- 46c168c3108b54ca7f1495182e64b34b4470e8d383781a83a693ec6e6a7725ff
- 4b53e0fdcd937d34cf27f9938a30b977c1f64b5c954e1dc3225aaf4e7ce908ce
- 4b81371832a31aa1b9a3f4caf3da072dbadc9793dc92d90ba3ea89c8ba7dd17e
- 4cd6901726e36bcb39b33343f44a2facb79cfc8bee33e236ff2f603c01bd21a2
- 4ea653d806dd43b18c85cb0642fdaa92028e04864878c8ecb5c08cbe6eb98d61
- 5059ef43cacdc5bb03eb52112084059b3fa3c9f75179e52a9e8814f3c91e6a7f
- 51032e46bebfd6ed04fcc938f5cde48f26df6a0ec48d2b58d31e748c2d87222f
- 53b55b87c5329665f417c43fa8b44e7054183ab13714fd575f4ec73c1576d8d7
- 5ba2ca4455a95b2260a81b6e857735aa697146720db7d15508b69583feb4587d
- 5ea5c9b7b4b7f23b114533a39414f1eac9e6bfd4c1b87786c3840d1f7b6cdf0d
- 5f8d854a6883175c03086c4dfc5d9c8c797facbff6598b41b837f0945d8f1d1c
- 60003b32e48d426f486a0763229dc589ba64a4ca12adfe061732b3497df0930d
- 6008dc1e6448d5f98981eceeb428f0f8eb5ca5d01315073e7751f6812e64b887
- 606df073790843307f1e2cd1455b947a933def47e8a57b7df62f4a0d5e52a26b
- 61a6d4566575e72452bd3304822330f9d2f72accc4dbba11be4748618101fd63
- 6496ed3876803016bf5fb2018c13d9b4f2a7c44253774ebc7c7c36c0e5df7852
- 65841cfa9f5436f51683d7c359e8f2db9dd66723e6c875c6f5fc67d7b1358689
- 6813d84987f1ac92fb6b5d7a9f8ddf26424f44a55022cf9fc5563362c225d8b8
- 690d584a6a58a1e051ab1c0d3c92a3ebbd756125005be6b9ca31c870e801ce90
- 6a0120bf645d3c65aaadf28db313647e773da4d8be6d440f95e3ef3e020f95ce
- 6cb9ea7e7b8f9642e1effb00c75397dbcfe04291c3c61b1561786e46773f3fc2
- 724f947ba0d0b93369f1df6a55fe722889adff5a6f5922d7ab35389feeed13e6
- 73befffc90b6411e42b25b92b4860c8142c82232ff0fb8c247597d0bc09efdbd
- 75328c047ffd60f0ef0f461e8efd11b33f296b8229b9917846ee0a10679a3108
- 76273d86538a5a5ead5ffdae2fcad8d29ae93d736b1f3df1475da71c6a328c7b
- 7ce85df273257bb57c122c1bdceeebe59c16bd8629eff5ad494fb8c387ed7c8a
- 8003fd73d5681b78365343e95c96bf7289fbb66ad2e22673099f4ab4e947270f
- 80c8797268cb88f5bef1791ccc88b62288763a27528709886e55175b9bd94487
- 8350cb907603e05218052fde1fda489957f768aa49dc6ff122a6471d42101aaf
- 862331ec037b258171f1d9a5ff7ba0dd92cc82fab9c130513e4bab50821184e3
- 8682c6f437d339cb9b438cd76f93766dba9ff7db8e9b6ed5103e52d16e93f51f
- 895d6d80e1b7b5ae2745bd7c7d29c9ad3740a4aea90e3ee5035f60ae91ed7c18
- 8af6d1cf38790da6c8205c4cfa20d43e79aebde03571bd881379d1fbbf13f07b
- 8c209705b91becbc186f2aafd2b8dbdffe1b78f0c765ff4d62e9fd7be52c926a
- 8c81a5f325bacafc6094e8d31881ff27de9ecdbcd1c20d67f1e298be09be2ee7
- 8f9fb0dbcf09f7b0a2838323c55a4cb3ce5ebd29230b9afc65cc6e23eb57d107
- 91c3092bc46c0b23b39d0cc10ddeee1b0008d0a12aed25791ed322ef7bc10792
- 9415e13f69bce584aa0e94ba833d689f892d27960f6b6b353f439e4aee32b1aa
- 983d11c7f6d115e3938ebc92b1ade92ea247c44632b3330af256693c2641cb99
- 9b827d471a9e2bd4249aa1cfb80721b97316334fd5aecbc5e2d4296e1c088a12
- 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494
- 9e8de744db5b8cd794226a4df549804f2dcd0f235d035e89305ca093dc3936c2
- a175dbaa581c7064effea9150163c84d5e6e12f975103c31dc13caeb85b62e47
- a2490d03cf08a0cc48030c915a1d6f17a7f755edf84f825df7ae752a358d8837
- a442c37a225f1417da4e67d87d44eb95cb90198f146f09fc4d2da1f716866866
- a55616e2551ae292c035fdb2ceba08327464394e6ec115c424f0e4340a50634d
- a725a1282151b3d66b12e29c116980c7837ae3829682914cf920e0b4520808e7
- aa7c16c9b06e1bc8012e1865a3fa18dd8f43b56c133649fb7ef25400fecea920
- ac94431fdba78b69ba481a37c56e4d067eb26844b64603e946ac402ef344ba4d
- b4222cd9bfbe897a10395414da0f744e223aba7c3ffeee68f03dbd167835c3cb
- b6e865ee7366584424eee3c120bfa7e510fdd1ddd85bd6e59aef57546be13dbd
- b7439cb886010a0f42601044ff3b1ff2cd11873a6e16b6682cba31e052f5865d
- bc417517a6b5949226151ed2dc3b398051fabe68c7c1b1ad92279e6425761962
- bd309518a3159b042d5f766c6159afbad5b18d8c6058d3a20773899a18314b21
- bdd3db5c703b69a6e146f1475d611468ec92053cc25c1b8bd256a56ae1624eb0
- be232e6678efb17e42750a84a60d69ebe71b0bff28e028a375559499782a66b7
- c297513faa34104fe812a1e59d0f98fb6fe741d2ddb2fc424dce33ee175a8c7e
- c332f3148d35b98d5b9aebb25f7642bf2315476edf8640f4e49a04bff7ef1992
- c7049f22ae5ea4adfba9a137ee331874fee567dcfca6ef04cddbd520d7b00ece
- cafb2d43814edf00a88b69ef44a0cdd7f8217b05132638bfe62a633b021be963
- ce3b09833cb88e8dda668604a50dee535f3ab3f9edc258e2a2f389064065d1b9
- cf374b923e49a731b035faae8fb0756e71d8377dc4b584fc51595320b1e5bc23
- d132b6b606284363684e9ed72fa516c751c5a5447a7af78b803b368a68e1319b
- d441fadd2e5dfbf526802b611391a7433578c8b507757bd606f873dde76ba290
- d539ced1656cbeda5fb3c9fa7a7dd15d379543877921fb6b988fe1ff0e5cb65a
- d8a7d38189c1b552ba07b3c12536c9cb9f7291161180937c08d28c736e3a84bc
- dcc3e88eabf7700facf18c6f905d21c1450e38f17190d38afabfb5aede2d2aab
- de0461d80b3a5986cd7a290620f4e1096b86a80ecb72e5033af944a0a368e374
- e0366f1f6d7d396f6ef06b8398f9d899c94757449ee32b45ff855d77d1442256
- e10a1bde9ed99785982416b20443e1c9387375876cf21887f6470f32d29eeac6
- e597f985a19237355dd489fa6eb95fdcb22b6d1a5125574aceb1c82e42057e72
- e5a9c5284062d9862dba21c860b32d6f58559175af193c052d0d968a17336d98
- f0f57933cba2b43988458cab4e386e4949902c23df723a97eb8da53bd8d4a49d
- f2c4f0c152acbb4a8e575e6095fc84b6df932e114c4f2a32a69d1ed19c1a55f7
- f4c3fecde4a9a5557fe1eca14b6b051aeb3c282780d51163ad4e11ef32454d20
- f89b07f4043c0bccd8537ed6a24f15932b9f70cc10743e022487bee62c075f98
- fa0aefa912e04ffcb1895e917d24372816c9da6f827b36079eaa115a0349dc0a
- faf630469655fcddb34a6bb2f24a5857bd36fd463760fe7643dbeb3f080b9a72
- fba6378aaf31225825c21cc7b06e1e8a408102bdba7a18a1b3d84b23cfe08018
- fbcf1356f2c11fe73efe69c1eba77a62ae742c935f3232dbed77657408a06933
References
- https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/
- https://malwarehunters.org/infographics/malware%3Dcryptbot/
- https://www.unpac.me/results/008a502c-9308-4cea-b2b1-1bdce7f01b7b#/
- https://research.openanalysis.net/cryptbot/botnet/yara/config/2023/03/16/cryptbot.html
- https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
- https://asec.ahnlab.com/en/26052/
- https://www.darktrace.com/blog/cryptbot-how-darktrace-foiled-a-fast-moving-information-stealer-in-just-2-seconds
- https://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/
- https://www.intrinsec.com/wp-content/uploads/2024/12/TLP-CLEAR-CryptBot-Hunting-for-intial-access-vectors.pdf
- https://attack.mitre.org/
This post is licensed under CC BY 4.0 by the author.