SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptbot (Back to overview)

CryptBot

A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.

References
2023-04-26United States District Court (Southern District of New York)Google
@techreport{google:20230426:cryptbot:ea44d7c, author = {Google}, title = {{CryptBot complaint against Zubair Saeed, Raheel Arshad and Mohammad Rasheed Siddiqui}}, date = {2023-04-26}, institution = {United States District Court (Southern District of New York)}, url = {https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf}, language = {English}, urldate = {2023-05-02} } CryptBot complaint against Zubair Saeed, Raheel Arshad and Mohammad Rasheed Siddiqui
CryptBot
2023-04-13GoogleMike Trinh, Pierre-Marc Bureau, Google Threat Analysis Group
@online{trinh:20230413:continuing:c9d837c, author = {Mike Trinh and Pierre-Marc Bureau and Google Threat Analysis Group}, title = {{Continuing our work to hold cybercriminal ecosystems accountable}}, date = {2023-04-13}, organization = {Google}, url = {https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/}, language = {English}, urldate = {2023-05-02} } Continuing our work to hold cybercriminal ecosystems accountable
CryptBot
2023-03-16OALabsSergei Frankoff
@online{frankoff:20230316:cryptbot:9cd940b, author = {Sergei Frankoff}, title = {{CryptBot}}, date = {2023-03-16}, organization = {OALabs}, url = {https://research.openanalysis.net/cryptbot/botnet/yara/config/2023/03/16/cryptbot.html}, language = {English}, urldate = {2023-05-02} } CryptBot
CryptBot
2023-01-26ANY.RUNANY.RUN
@online{anyrun:20230126:cryptbot:fa17489, author = {ANY.RUN}, title = {{CryptBot Infostealer: Malware Analysis}}, date = {2023-01-26}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/}, language = {English}, urldate = {2023-01-27} } CryptBot Infostealer: Malware Analysis
CryptBot
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-06-28AhnLabASEC
@online{asec:20220628:new:df3f9bf, author = {ASEC}, title = {{New Info-stealer Disguised as Crack Being Distributed}}, date = {2022-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35981/}, language = {English}, urldate = {2022-06-30} } New Info-stealer Disguised as Crack Being Distributed
ClipBanker CryptBot Raccoon RedLine Stealer
2022-06-02MandiantMandiant
@online{mandiant:20220602:trending:0bcdbc4, author = {Mandiant}, title = {{TRENDING EVIL Q2 2022}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil-2/p/1}, language = {English}, urldate = {2022-06-07} } TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-03-16FR3D.HKFred HK
@online{hk:20220316:cryptbot:9903e3f, author = {Fred HK}, title = {{CryptBot - Too good to be true}}, date = {2022-03-16}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/cryptbot-too-good-to-be-true}, language = {English}, urldate = {2022-04-15} } CryptBot - Too good to be true
CryptBot
2022-03-10BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220310:threat:64ccfb2, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: CryptBot Infostealer Masquerades as Cracked Software}}, date = {2022-03-10}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer}, language = {English}, urldate = {2023-05-02} } Threat Thursday: CryptBot Infostealer Masquerades as Cracked Software
CryptBot
2022-02-21Bleeping ComputerBill Toulas
@online{toulas:20220221:revamped:7315878, author = {Bill Toulas}, title = {{Revamped CryptBot malware spread by pirated software sites}}, date = {2022-02-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/}, language = {English}, urldate = {2022-02-26} } Revamped CryptBot malware spread by pirated software sites
CryptBot
2022-02-21AhnLabAhnLab ASEC Analysis Team
@online{team:20220221:modified:6fd1e56, author = {AhnLab ASEC Analysis Team}, title = {{Modified CryptBot Infostealer Being Distributed}}, date = {2022-02-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/31802/}, language = {English}, urldate = {2023-05-02} } Modified CryptBot Infostealer Being Distributed
CryptBot
2022-02-18AhnLabASEC Analysis Team
@online{team:20220218:pseudomanuscrypt:4aa75d9, author = {ASEC Analysis Team}, title = {{PseudoManuscrypt Being Distributed in the Same Method as Cryptbot}}, date = {2022-02-18}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/31683/}, language = {English}, urldate = {2022-02-19} } PseudoManuscrypt Being Distributed in the Same Method as Cryptbot
CryptBot PseudoManuscrypt
2021-12-06MandiantLuke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART)
@online{jenkins:20211206:suspected:d9da4ec, author = {Luke Jenkins and Sarah Hawley and Parnian Najafi and Doug Bienstock and Luis Rocha and Marius Fodoreanu and Mitchell Clarke and Manfred Erjak and Josh Madeley and Ashraf Abdalhalim and Juraj Sucik and Wojciech Ledzion and Gabriella Roncone and Jonathan Leathery and Ben Read and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART)}, title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)}}, date = {2021-12-06}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/russian-targeting-gov-business}, language = {English}, urldate = {2021-12-07} } Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot
2021-12-04BleepingComputerBill Toulas
@online{toulas:20211204:malicious:b9cff07, author = {Bill Toulas}, title = {{Malicious KMSPico installers steal your cryptocurrency wallets}}, date = {2021-12-04}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/}, language = {English}, urldate = {2022-04-07} } Malicious KMSPico installers steal your cryptocurrency wallets
CryptBot
2021-12-02Red CanaryTony Lambert
@techreport{lambert:20211202:kmspico:4e3afa7, author = {Tony Lambert}, title = {{KMSPico and Cryptbot: A spicy combo}}, date = {2021-12-02}, institution = {Red Canary}, url = {https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf}, language = {English}, urldate = {2021-12-07} } KMSPico and Cryptbot: A spicy combo
CryptBot
2021-08-09AhnLabASEC Analysis Team
@online{team:20210809:cryptbot:9b8a111, author = {ASEC Analysis Team}, title = {{CryptBot Infostealer Constantly Changing and Being Distributed}}, date = {2021-08-09}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/26052/}, language = {English}, urldate = {2022-04-15} } CryptBot Infostealer Constantly Changing and Being Distributed
CryptBot
2021-06-28AhnLabAhnLab
@online{ahnlab:20210628:cryptbot:6d593f3, author = {AhnLab}, title = {{CryptBot Info-stealer Malware Being Distributed in Different Forms}}, date = {2021-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/24423/}, language = {English}, urldate = {2022-04-07} } CryptBot Info-stealer Malware Being Distributed in Different Forms
CryptBot
2020-02-06GdataKarsten Hahn
@online{hahn:20200206:40000:3a0d792, author = {Karsten Hahn}, title = {{40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger}}, date = {2020-02-06}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger}, language = {English}, urldate = {2020-04-02} } 40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger
CryptBot
Yara Rules
[TLP:WHITE] win_cryptbot_auto (20230407 | Detects win.cryptbot.)
rule win_cryptbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.cryptbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 85ed 0f94c0 8be8 }
            // n = 4, score = 700
            //   33c0                 | xor                 eax, eax
            //   85ed                 | test                ebp, ebp
            //   0f94c0               | sete                al
            //   8be8                 | mov                 ebp, eax

        $sequence_1 = { e9???????? b964dc0000 e9???????? b95ddc0000 }
            // n = 4, score = 600
            //   e9????????           |                     
            //   b964dc0000           | mov                 ecx, 0xdc64
            //   e9????????           |                     
            //   b95ddc0000           | mov                 ecx, 0xdc5d

        $sequence_2 = { 33c0 eb0a b917d90000 e8???????? }
            // n = 4, score = 600
            //   33c0                 | xor                 eax, eax
            //   eb0a                 | jmp                 0xc
            //   b917d90000           | mov                 ecx, 0xd917
            //   e8????????           |                     

        $sequence_3 = { e9???????? b949dc0000 e9???????? b944dc0000 e9???????? }
            // n = 5, score = 600
            //   e9????????           |                     
            //   b949dc0000           | mov                 ecx, 0xdc49
            //   e9????????           |                     
            //   b944dc0000           | mov                 ecx, 0xdc44
            //   e9????????           |                     

        $sequence_4 = { e8???????? 85c0 750e b9ca070200 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   b9ca070200           | mov                 ecx, 0x207ca

        $sequence_5 = { 0f9cc0 eb02 32c0 84c0 }
            // n = 4, score = 600
            //   0f9cc0               | setl                al
            //   eb02                 | jmp                 4
            //   32c0                 | xor                 al, al
            //   84c0                 | test                al, al

        $sequence_6 = { e8???????? 85c0 750c b961030200 e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   b961030200           | mov                 ecx, 0x20361
            //   e8????????           |                     

        $sequence_7 = { e8???????? 85c0 750f b955960100 e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   b955960100           | mov                 ecx, 0x19655
            //   e8????????           |                     

        $sequence_8 = { 7408 85c0 7808 85ed }
            // n = 4, score = 400
            //   7408                 | je                  0xa
            //   85c0                 | test                eax, eax
            //   7808                 | js                  0xa
            //   85ed                 | test                ebp, ebp

        $sequence_9 = { 740b f6470601 ba???????? 7405 ba???????? }
            // n = 5, score = 400
            //   740b                 | je                  0xd
            //   f6470601             | test                byte ptr [edi + 6], 1
            //   ba????????           |                     
            //   7405                 | je                  7
            //   ba????????           |                     

        $sequence_10 = { 744e 0fb74802 83e103 3bcb }
            // n = 4, score = 400
            //   744e                 | je                  0x50
            //   0fb74802             | movzx               ecx, word ptr [eax + 2]
            //   83e103               | and                 ecx, 3
            //   3bcb                 | cmp                 ecx, ebx

        $sequence_11 = { 2403 80e110 8ad1 3c02 7509 }
            // n = 5, score = 400
            //   2403                 | and                 al, 3
            //   80e110               | and                 cl, 0x10
            //   8ad1                 | mov                 dl, cl
            //   3c02                 | cmp                 al, 2
            //   7509                 | jne                 0xb

        $sequence_12 = { 7404 c6461d01 837e0800 890e }
            // n = 4, score = 400
            //   7404                 | je                  6
            //   c6461d01             | mov                 byte ptr [esi + 0x1d], 1
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   890e                 | mov                 dword ptr [esi], ecx

        $sequence_13 = { 7408 8b442428 88040e 46 }
            // n = 4, score = 400
            //   7408                 | je                  0xa
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   88040e               | mov                 byte ptr [esi + ecx], al
            //   46                   | inc                 esi

        $sequence_14 = { 7405 894824 eb0d 807e1c00 894e04 7404 c6461d01 }
            // n = 7, score = 400
            //   7405                 | je                  7
            //   894824               | mov                 dword ptr [eax + 0x24], ecx
            //   eb0d                 | jmp                 0xf
            //   807e1c00             | cmp                 byte ptr [esi + 0x1c], 0
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   7404                 | je                  6
            //   c6461d01             | mov                 byte ptr [esi + 0x1d], 1

    condition:
        7 of them and filesize < 11116544
}
Download all Yara Rules