SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptbot (Back to overview)

CryptBot


A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.

References
2022-03-16FR3D.HKFred HK
@online{hk:20220316:cryptbot:9903e3f, author = {Fred HK}, title = {{CryptBot - Too good to be true}}, date = {2022-03-16}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/cryptbot-too-good-to-be-true}, language = {English}, urldate = {2022-04-15} } CryptBot - Too good to be true
CryptBot
2022-02-21Bleeping ComputerBill Toulas
@online{toulas:20220221:revamped:7315878, author = {Bill Toulas}, title = {{Revamped CryptBot malware spread by pirated software sites}}, date = {2022-02-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/}, language = {English}, urldate = {2022-02-26} } Revamped CryptBot malware spread by pirated software sites
CryptBot
2022-02-18AhnLabASEC Analysis Team
@online{team:20220218:pseudomanuscrypt:4aa75d9, author = {ASEC Analysis Team}, title = {{PseudoManuscrypt Being Distributed in the Same Method as Cryptbot}}, date = {2022-02-18}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/31683/}, language = {English}, urldate = {2022-02-19} } PseudoManuscrypt Being Distributed in the Same Method as Cryptbot
CryptBot PseudoManuscrypt
2021-12-06MandiantLuke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART)
@online{jenkins:20211206:suspected:d9da4ec, author = {Luke Jenkins and Sarah Hawley and Parnian Najafi and Doug Bienstock and Luis Rocha and Marius Fodoreanu and Mitchell Clarke and Manfred Erjak and Josh Madeley and Ashraf Abdalhalim and Juraj Sucik and Wojciech Ledzion and Gabriella Roncone and Jonathan Leathery and Ben Read and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART)}, title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)}}, date = {2021-12-06}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/russian-targeting-gov-business}, language = {English}, urldate = {2021-12-07} } Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot
2021-12-04BleepingComputerBill Toulas
@online{toulas:20211204:malicious:b9cff07, author = {Bill Toulas}, title = {{Malicious KMSPico installers steal your cryptocurrency wallets}}, date = {2021-12-04}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/}, language = {English}, urldate = {2022-04-07} } Malicious KMSPico installers steal your cryptocurrency wallets
CryptBot
2021-12-02Red CanaryTony Lambert
@techreport{lambert:20211202:kmspico:4e3afa7, author = {Tony Lambert}, title = {{KMSPico and Cryptbot: A spicy combo}}, date = {2021-12-02}, institution = {Red Canary}, url = {https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf}, language = {English}, urldate = {2021-12-07} } KMSPico and Cryptbot: A spicy combo
CryptBot
2021-08-09AhnLabASEC Analysis Team
@online{team:20210809:cryptbot:9b8a111, author = {ASEC Analysis Team}, title = {{CryptBot Infostealer Constantly Changing and Being Distributed}}, date = {2021-08-09}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/26052/}, language = {English}, urldate = {2022-04-15} } CryptBot Infostealer Constantly Changing and Being Distributed
CryptBot
2021-06-28AhnLabAhnLab
@online{ahnlab:20210628:cryptbot:6d593f3, author = {AhnLab}, title = {{CryptBot Info-stealer Malware Being Distributed in Different Forms}}, date = {2021-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/24423/}, language = {English}, urldate = {2022-04-07} } CryptBot Info-stealer Malware Being Distributed in Different Forms
CryptBot
2020-02-06GdataKarsten Hahn
@online{hahn:20200206:40000:3a0d792, author = {Karsten Hahn}, title = {{40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger}}, date = {2020-02-06}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger}, language = {English}, urldate = {2020-04-02} } 40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger
CryptBot
Yara Rules
[TLP:WHITE] win_cryptbot_auto (20220411 | Detects win.cryptbot.)
rule win_cryptbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.cryptbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 85ed 0f94c0 8be8 }
            // n = 4, score = 700
            //   33c0                 | xor                 eax, eax
            //   85ed                 | test                ebp, ebp
            //   0f94c0               | sete                al
            //   8be8                 | mov                 ebp, eax

        $sequence_1 = { 33c0 eb0a b917d90000 e8???????? }
            // n = 4, score = 600
            //   33c0                 | xor                 eax, eax
            //   eb0a                 | jmp                 0xc
            //   b917d90000           | mov                 ecx, 0xd917
            //   e8????????           |                     

        $sequence_2 = { e8???????? 85c0 750c b961030200 e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   b961030200           | mov                 ecx, 0x20361
            //   e8????????           |                     

        $sequence_3 = { e8???????? 85c0 750e b9ca070200 e8???????? 8bc8 }
            // n = 6, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   b9ca070200           | mov                 ecx, 0x207ca
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_4 = { 0f9cc0 eb02 32c0 84c0 }
            // n = 4, score = 600
            //   0f9cc0               | setl                al
            //   eb02                 | jmp                 4
            //   32c0                 | xor                 al, al
            //   84c0                 | test                al, al

        $sequence_5 = { e8???????? 84c0 7514 b800000002 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7514                 | jne                 0x16
            //   b800000002           | mov                 eax, 0x2000000

        $sequence_6 = { 7211 c705????????01000000 e8???????? eb07 8325????????00 }
            // n = 5, score = 600
            //   7211                 | jb                  0x13
            //   c705????????01000000     |     
            //   e8????????           |                     
            //   eb07                 | jmp                 9
            //   8325????????00       |                     

        $sequence_7 = { e8???????? 85c0 750f b955960100 e8???????? e9???????? }
            // n = 6, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   b955960100           | mov                 ecx, 0x19655
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_8 = { 0f95c1 660fa3d0 0f92c0 84c8 }
            // n = 4, score = 400
            //   0f95c1               | setne               cl
            //   660fa3d0             | bt                  ax, dx
            //   0f92c0               | setb                al
            //   84c8                 | test                al, cl

        $sequence_9 = { 8d442414 8bd7 50 8d442438 8bcd }
            // n = 5, score = 400
            //   8d442414             | lea                 eax, dword ptr [esp + 0x14]
            //   8bd7                 | mov                 edx, edi
            //   50                   | push                eax
            //   8d442438             | lea                 eax, dword ptr [esp + 0x38]
            //   8bcd                 | mov                 ecx, ebp

        $sequence_10 = { 744e 0fb74802 83e103 3bcb }
            // n = 4, score = 400
            //   744e                 | je                  0x50
            //   0fb74802             | movzx               ecx, word ptr [eax + 2]
            //   83e103               | and                 ecx, 3
            //   3bcb                 | cmp                 ecx, ebx

        $sequence_11 = { 8d4c2414 e8???????? 8bc8 85c9 }
            // n = 4, score = 400
            //   8d4c2414             | lea                 ecx, dword ptr [esp + 0x14]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   85c9                 | test                ecx, ecx

        $sequence_12 = { 2403 80e110 8ad1 3c02 7509 }
            // n = 5, score = 400
            //   2403                 | and                 al, 3
            //   80e110               | and                 cl, 0x10
            //   8ad1                 | mov                 dl, cl
            //   3c02                 | cmp                 al, 2
            //   7509                 | jne                 0xb

        $sequence_13 = { 8d542424 8bce e8???????? 8b0e }
            // n = 4, score = 400
            //   8d542424             | lea                 edx, dword ptr [esp + 0x24]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_14 = { 8d4aff 8d0c8f 3bf8 7704 3bc8 7334 }
            // n = 6, score = 400
            //   8d4aff               | lea                 ecx, dword ptr [edx - 1]
            //   8d0c8f               | lea                 ecx, dword ptr [edi + ecx*4]
            //   3bf8                 | cmp                 edi, eax
            //   7704                 | ja                  6
            //   3bc8                 | cmp                 ecx, eax
            //   7334                 | jae                 0x36

    condition:
        7 of them and filesize < 11116544
}
Download all Yara Rules