CryptBot (Malware Family)

CryptBot
VTCollection
A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.
References
2021-12-06 ⋅ Mandiant ⋅ Ashraf Abdalhalim, Ben Read, Doug Bienstock, Gabriella Roncone, Jonathan Leathery, Josh Madeley, Juraj Sucik, Luis Rocha, Luke Jenkins, Manfred Erjak, Marius Fodoreanu, Microsoft Detection and Response Team (DART), Microsoft Threat Intelligence Center (MSTIC), Mitchell Clarke, Parnian Najafi, Sarah Hawley, Wojciech Ledzion
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot
Yara Rules
[TLP:WHITE] win_cryptbot_auto (20260504 | Detects win.cryptbot.)
rule win_cryptbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.cryptbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 85ed 0f94c0 8be8 }
            // n = 4, score = 700
            //   33c0                 | xor                 eax, eax
            //   85ed                 | test                ebp, ebp
            //   0f94c0               | sete                al
            //   8be8                 | mov                 ebp, eax

        $sequence_1 = { e8???????? 85c0 750f b955960100 e8???????? e9???????? }
            // n = 6, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   b955960100           | mov                 ecx, 0x19655
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_2 = { e8???????? 84c0 7514 b800000002 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7514                 | jne                 0x16
            //   b800000002           | mov                 eax, 0x2000000

        $sequence_3 = { e9???????? b944dc0000 e9???????? b964dc0000 e9???????? b95ddc0000 }
            // n = 6, score = 600
            //   e9????????           |                     
            //   b944dc0000           | mov                 ecx, 0xdc44
            //   e9????????           |                     
            //   b964dc0000           | mov                 ecx, 0xdc64
            //   e9????????           |                     
            //   b95ddc0000           | mov                 ecx, 0xdc5d

        $sequence_4 = { 33c0 eb0a b917d90000 e8???????? }
            // n = 4, score = 600
            //   33c0                 | xor                 eax, eax
            //   eb0a                 | jmp                 0xc
            //   b917d90000           | mov                 ecx, 0xd917
            //   e8????????           |                     

        $sequence_5 = { e8???????? 85c0 750c b961030200 e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   b961030200           | mov                 ecx, 0x20361
            //   e8????????           |                     

        $sequence_6 = { e8???????? 85c0 750e b9ca070200 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   b9ca070200           | mov                 ecx, 0x207ca

        $sequence_7 = { eb0c b99fed0000 e8???????? 8907 }
            // n = 4, score = 600
            //   eb0c                 | jmp                 0xe
            //   b99fed0000           | mov                 ecx, 0xed9f
            //   e8????????           |                     
            //   8907                 | mov                 dword ptr [edi], eax

        $sequence_8 = { 7424 807e4100 7404 33c0 5e c3 }
            // n = 6, score = 400
            //   7424                 | je                  0x26
            //   807e4100             | cmp                 byte ptr [esi + 0x41], 0
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_9 = { 7414 3c7a 7508 8b4610 803874 }
            // n = 5, score = 400
            //   7414                 | je                  0x16
            //   3c7a                 | cmp                 al, 0x7a
            //   7508                 | jne                 0xa
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   803874               | cmp                 byte ptr [eax], 0x74

        $sequence_10 = { 1ac9 2403 80e110 8ad1 3c02 7509 }
            // n = 6, score = 400
            //   1ac9                 | sbb                 cl, cl
            //   2403                 | and                 al, 3
            //   80e110               | and                 cl, 0x10
            //   8ad1                 | mov                 dl, cl
            //   3c02                 | cmp                 al, 2
            //   7509                 | jne                 0xb

        $sequence_11 = { 7422 8b4d00 8bd3 6a00 }
            // n = 4, score = 400
            //   7422                 | je                  0x24
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   8bd3                 | mov                 edx, ebx
            //   6a00                 | push                0

        $sequence_12 = { 744e 0fb74802 83e103 3bcb }
            // n = 4, score = 400
            //   744e                 | je                  0x50
            //   0fb74802             | movzx               ecx, word ptr [eax + 2]
            //   83e103               | and                 ecx, 3
            //   3bcb                 | cmp                 ecx, ebx

        $sequence_13 = { 7419 8b4218 3b4114 7211 }
            // n = 4, score = 400
            //   7419                 | je                  0x1b
            //   8b4218               | mov                 eax, dword ptr [edx + 0x18]
            //   3b4114               | cmp                 eax, dword ptr [ecx + 0x14]
            //   7211                 | jb                  0x13

        $sequence_14 = { 83caff 8bcf e8???????? 83caff }
            // n = 4, score = 400
            //   83caff               | or                  edx, 0xffffffff
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   83caff               | or                  edx, 0xffffffff

        $sequence_15 = { 750d 83bed000000000 7504 c6461005 8bc7 5f }
            // n = 6, score = 400
            //   750d                 | jne                 0xf
            //   83bed000000000       | cmp                 dword ptr [esi + 0xd0], 0
            //   7504                 | jne                 6
            //   c6461005             | mov                 byte ptr [esi + 0x10], 5
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi

        $sequence_16 = { 85c0 742c 8bd6 8bcb }
            // n = 4, score = 400
            //   85c0                 | test                eax, eax
            //   742c                 | je                  0x2e
            //   8bd6                 | mov                 edx, esi
            //   8bcb                 | mov                 ecx, ebx

        $sequence_17 = { 8b5720 8bce e8???????? 8b5724 8bce }
            // n = 5, score = 200
            //   8b5720               | mov                 edx, dword ptr [edi + 0x20]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b5724               | mov                 edx, dword ptr [edi + 0x24]
            //   8bce                 | mov                 ecx, esi

        $sequence_18 = { 8b959cfeffff 8b85acfeffff 33c9 3808 }
            // n = 4, score = 100
            //   8b959cfeffff         | mov                 edx, dword ptr [ebp - 0x164]
            //   8b85acfeffff         | mov                 eax, dword ptr [ebp - 0x154]
            //   33c9                 | xor                 ecx, ecx
            //   3808                 | cmp                 byte ptr [eax], cl

        $sequence_19 = { 8b4d08 8b4910 8b19 89542404 }
            // n = 4, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b4910               | mov                 ecx, dword ptr [ecx + 0x10]
            //   8b19                 | mov                 ebx, dword ptr [ecx]
            //   89542404             | mov                 dword ptr [esp + 4], edx

        $sequence_20 = { 8b4d08 8b09 83c002 83d200 }
            // n = 4, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   83c002               | add                 eax, 2
            //   83d200               | adc                 edx, 0

        $sequence_21 = { 8b958cfeffff 2bc2 8bb5a0feffff 03f0 }
            // n = 4, score = 100
            //   8b958cfeffff         | mov                 edx, dword ptr [ebp - 0x174]
            //   2bc2                 | sub                 eax, edx
            //   8bb5a0feffff         | mov                 esi, dword ptr [ebp - 0x160]
            //   03f0                 | add                 esi, eax

        $sequence_22 = { 8b4d08 8b09 01f0 11fa 894178 }
            // n = 5, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   01f0                 | add                 eax, esi
            //   11fa                 | adc                 edx, edi
            //   894178               | mov                 dword ptr [ecx + 0x78], eax

        $sequence_23 = { 8b95a0feffff 6a00 6a00 8b08 }
            // n = 4, score = 100
            //   8b95a0feffff         | mov                 edx, dword ptr [ebp - 0x160]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_24 = { 8b94b1f80f0000 8b45f4 8b7df8 0fb700 0fb73c97 663bc7 7232 }
            // n = 7, score = 100
            //   8b94b1f80f0000       | mov                 edx, dword ptr [ecx + esi*4 + 0xff8]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   0fb700               | movzx               eax, word ptr [eax]
            //   0fb73c97             | movzx               edi, word ptr [edi + edx*4]
            //   663bc7               | cmp                 ax, di
            //   7232                 | jb                  0x34

        $sequence_25 = { 8b4d08 8b09 8b09 8b09 }
            // n = 4, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   8b09                 | mov                 ecx, dword ptr [ecx]

        $sequence_26 = { 8b4d08 8b09 8b896caf0600 8b9274af0600 }
            // n = 4, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   8b896caf0600         | mov                 ecx, dword ptr [ecx + 0x6af6c]
            //   8b9274af0600         | mov                 edx, dword ptr [edx + 0x6af74]

        $sequence_27 = { 8b4d08 8b09 8901 c745e41b000000 }
            // n = 4, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   c745e41b000000       | mov                 dword ptr [ebp - 0x1c], 0x1b

        $sequence_28 = { 8b4d08 8b09 81c3fc030000 8b549a08 }
            // n = 4, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   81c3fc030000         | add                 ebx, 0x3fc
            //   8b549a08             | mov                 edx, dword ptr [edx + ebx*4 + 8]

        $sequence_29 = { 8b4d08 8b4914 8b19 8954240c }
            // n = 4, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b4914               | mov                 ecx, dword ptr [ecx + 0x14]
            //   8b19                 | mov                 ebx, dword ptr [ecx]
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx

        $sequence_30 = { 8b959cfeffff 8bca 85d2 742a }
            // n = 4, score = 100
            //   8b959cfeffff         | mov                 edx, dword ptr [ebp - 0x164]
            //   8bca                 | mov                 ecx, edx
            //   85d2                 | test                edx, edx
            //   742a                 | je                  0x2c

    condition:
        7 of them and filesize < 17138688
}
Download all Yara Rules
CryptBot Propose Change

References

Yara Rules

CryptBot
