SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptbot (Back to overview)

CryptBot

VTCollection    

A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.

References
2023-04-26United States District Court (Southern District of New York)Google
CryptBot complaint against Zubair Saeed, Raheel Arshad and Mohammad Rasheed Siddiqui
CryptBot
2023-04-13GoogleGoogle Threat Analysis Group, Mike Trinh, Pierre-Marc Bureau
Continuing our work to hold cybercriminal ecosystems accountable
CryptBot
2023-03-16OALabsSergei Frankoff
CryptBot
CryptBot
2023-01-26ANY.RUNANY.RUN
CryptBot Infostealer: Malware Analysis
CryptBot
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-06-28AhnLabASEC
New Info-stealer Disguised as Crack Being Distributed
ClipBanker CryptBot Raccoon RedLine Stealer
2022-06-02MandiantMandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-03-16FR3D.HKFred HK
CryptBot - Too good to be true
CryptBot
2022-03-10BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: CryptBot Infostealer Masquerades as Cracked Software
CryptBot
2022-02-21Bleeping ComputerBill Toulas
Revamped CryptBot malware spread by pirated software sites
CryptBot
2022-02-21AhnLabAhnLab ASEC Analysis Team
Modified CryptBot Infostealer Being Distributed
CryptBot
2022-02-18AhnLabASEC Analysis Team
PseudoManuscrypt Being Distributed in the Same Method as Cryptbot
CryptBot PseudoManuscrypt
2021-12-06MandiantAshraf Abdalhalim, Ben Read, Doug Bienstock, Gabriella Roncone, Jonathan Leathery, Josh Madeley, Juraj Sucik, Luis Rocha, Luke Jenkins, Manfred Erjak, Marius Fodoreanu, Microsoft Detection and Response Team (DART), Microsoft Threat Intelligence Center (MSTIC), Mitchell Clarke, Parnian Najafi, Sarah Hawley, Wojciech Ledzion
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot
2021-12-04BleepingComputerBill Toulas
Malicious KMSPico installers steal your cryptocurrency wallets
CryptBot
2021-12-02Red CanaryTony Lambert
KMSPico and Cryptbot: A spicy combo
CryptBot
2021-08-09AhnLabASEC Analysis Team
CryptBot Infostealer Constantly Changing and Being Distributed
CryptBot
2021-06-28AhnLabAhnLab
CryptBot Info-stealer Malware Being Distributed in Different Forms
CryptBot
2020-02-06GdataKarsten Hahn
40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger
CryptBot
Yara Rules
[TLP:WHITE] win_cryptbot_auto (20230808 | Detects win.cryptbot.)
rule win_cryptbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.cryptbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 85ed 0f94c0 8be8 }
            // n = 4, score = 700
            //   33c0                 | xor                 eax, eax
            //   85ed                 | test                ebp, ebp
            //   0f94c0               | sete                al
            //   8be8                 | mov                 ebp, eax

        $sequence_1 = { 33c0 eb0a b917d90000 e8???????? }
            // n = 4, score = 600
            //   33c0                 | xor                 eax, eax
            //   eb0a                 | jmp                 0xc
            //   b917d90000           | mov                 ecx, 0xd917
            //   e8????????           |                     

        $sequence_2 = { e9???????? b949dc0000 e9???????? b944dc0000 e9???????? b964dc0000 }
            // n = 6, score = 600
            //   e9????????           |                     
            //   b949dc0000           | mov                 ecx, 0xdc49
            //   e9????????           |                     
            //   b944dc0000           | mov                 ecx, 0xdc44
            //   e9????????           |                     
            //   b964dc0000           | mov                 ecx, 0xdc64

        $sequence_3 = { e8???????? 85c0 750c b961030200 e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   b961030200           | mov                 ecx, 0x20361
            //   e8????????           |                     

        $sequence_4 = { 0f9cc0 eb02 32c0 84c0 }
            // n = 4, score = 600
            //   0f9cc0               | setl                al
            //   eb02                 | jmp                 4
            //   32c0                 | xor                 al, al
            //   84c0                 | test                al, al

        $sequence_5 = { eb0c b99fed0000 e8???????? 8907 }
            // n = 4, score = 600
            //   eb0c                 | jmp                 0xe
            //   b99fed0000           | mov                 ecx, 0xed9f
            //   e8????????           |                     
            //   8907                 | mov                 dword ptr [edi], eax

        $sequence_6 = { e8???????? 85c0 750e b9ca070200 e8???????? 8bc8 }
            // n = 6, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   b9ca070200           | mov                 ecx, 0x207ca
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_7 = { e8???????? 85c0 750f b955960100 e8???????? e9???????? }
            // n = 6, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   b955960100           | mov                 ecx, 0x19655
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_8 = { 744e 0fb74802 83e103 3bcb }
            // n = 4, score = 400
            //   744e                 | je                  0x50
            //   0fb74802             | movzx               ecx, word ptr [eax + 2]
            //   83e103               | and                 ecx, 3
            //   3bcb                 | cmp                 ecx, ebx

        $sequence_9 = { 750b 8bce e8???????? 8b4c2428 }
            // n = 4, score = 400
            //   750b                 | jne                 0xd
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]

        $sequence_10 = { 7508 85f6 7404 c6464101 5e c3 }
            // n = 6, score = 400
            //   7508                 | jne                 0xa
            //   85f6                 | test                esi, esi
            //   7404                 | je                  6
            //   c6464101             | mov                 byte ptr [esi + 0x41], 1
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_11 = { 7518 8b542414 83c718 8bcd }
            // n = 4, score = 400
            //   7518                 | jne                 0x1a
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   83c718               | add                 edi, 0x18
            //   8bcd                 | mov                 ecx, ebp

        $sequence_12 = { 7409 33d2 e8???????? 8bf8 43 }
            // n = 5, score = 400
            //   7409                 | je                  0xb
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   43                   | inc                 ebx

        $sequence_13 = { 2403 80e110 8ad1 3c02 7509 }
            // n = 5, score = 400
            //   2403                 | and                 al, 3
            //   80e110               | and                 cl, 0x10
            //   8ad1                 | mov                 dl, cl
            //   3c02                 | cmp                 al, 2
            //   7509                 | jne                 0xb

        $sequence_14 = { 751f 8bd5 8bce e8???????? }
            // n = 4, score = 400
            //   751f                 | jne                 0x21
            //   8bd5                 | mov                 edx, ebp
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 11116544
}
Download all Yara Rules