SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptbot (Back to overview)

CryptBot


A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-06-28AhnLabASEC
@online{asec:20220628:new:df3f9bf, author = {ASEC}, title = {{New Info-stealer Disguised as Crack Being Distributed}}, date = {2022-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35981/}, language = {English}, urldate = {2022-06-30} } New Info-stealer Disguised as Crack Being Distributed
ClipBanker CryptBot Raccoon RedLine Stealer
2022-06-02MandiantMandiant
@online{mandiant:20220602:trending:0bcdbc4, author = {Mandiant}, title = {{TRENDING EVIL Q2 2022}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil-2/p/1}, language = {English}, urldate = {2022-06-07} } TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-03-16FR3D.HKFred HK
@online{hk:20220316:cryptbot:9903e3f, author = {Fred HK}, title = {{CryptBot - Too good to be true}}, date = {2022-03-16}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/cryptbot-too-good-to-be-true}, language = {English}, urldate = {2022-04-15} } CryptBot - Too good to be true
CryptBot
2022-02-21Bleeping ComputerBill Toulas
@online{toulas:20220221:revamped:7315878, author = {Bill Toulas}, title = {{Revamped CryptBot malware spread by pirated software sites}}, date = {2022-02-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/}, language = {English}, urldate = {2022-02-26} } Revamped CryptBot malware spread by pirated software sites
CryptBot
2022-02-18AhnLabASEC Analysis Team
@online{team:20220218:pseudomanuscrypt:4aa75d9, author = {ASEC Analysis Team}, title = {{PseudoManuscrypt Being Distributed in the Same Method as Cryptbot}}, date = {2022-02-18}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/31683/}, language = {English}, urldate = {2022-02-19} } PseudoManuscrypt Being Distributed in the Same Method as Cryptbot
CryptBot PseudoManuscrypt
2021-12-06MandiantLuke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART)
@online{jenkins:20211206:suspected:d9da4ec, author = {Luke Jenkins and Sarah Hawley and Parnian Najafi and Doug Bienstock and Luis Rocha and Marius Fodoreanu and Mitchell Clarke and Manfred Erjak and Josh Madeley and Ashraf Abdalhalim and Juraj Sucik and Wojciech Ledzion and Gabriella Roncone and Jonathan Leathery and Ben Read and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART)}, title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)}}, date = {2021-12-06}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/russian-targeting-gov-business}, language = {English}, urldate = {2021-12-07} } Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot
2021-12-04BleepingComputerBill Toulas
@online{toulas:20211204:malicious:b9cff07, author = {Bill Toulas}, title = {{Malicious KMSPico installers steal your cryptocurrency wallets}}, date = {2021-12-04}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/}, language = {English}, urldate = {2022-04-07} } Malicious KMSPico installers steal your cryptocurrency wallets
CryptBot
2021-12-02Red CanaryTony Lambert
@techreport{lambert:20211202:kmspico:4e3afa7, author = {Tony Lambert}, title = {{KMSPico and Cryptbot: A spicy combo}}, date = {2021-12-02}, institution = {Red Canary}, url = {https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf}, language = {English}, urldate = {2021-12-07} } KMSPico and Cryptbot: A spicy combo
CryptBot
2021-08-09AhnLabASEC Analysis Team
@online{team:20210809:cryptbot:9b8a111, author = {ASEC Analysis Team}, title = {{CryptBot Infostealer Constantly Changing and Being Distributed}}, date = {2021-08-09}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/26052/}, language = {English}, urldate = {2022-04-15} } CryptBot Infostealer Constantly Changing and Being Distributed
CryptBot
2021-06-28AhnLabAhnLab
@online{ahnlab:20210628:cryptbot:6d593f3, author = {AhnLab}, title = {{CryptBot Info-stealer Malware Being Distributed in Different Forms}}, date = {2021-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/24423/}, language = {English}, urldate = {2022-04-07} } CryptBot Info-stealer Malware Being Distributed in Different Forms
CryptBot
2020-02-06GdataKarsten Hahn
@online{hahn:20200206:40000:3a0d792, author = {Karsten Hahn}, title = {{40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger}}, date = {2020-02-06}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger}, language = {English}, urldate = {2020-04-02} } 40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger
CryptBot
Yara Rules
[TLP:WHITE] win_cryptbot_auto (20220808 | Detects win.cryptbot.)
rule win_cryptbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.cryptbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 85ed 0f94c0 8be8 }
            // n = 4, score = 700
            //   33c0                 | xor                 eax, eax
            //   85ed                 | test                ebp, ebp
            //   0f94c0               | sete                al
            //   8be8                 | mov                 ebp, eax

        $sequence_1 = { e8???????? 85c0 750e b9ca070200 e8???????? 8bc8 }
            // n = 6, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   b9ca070200           | mov                 ecx, 0x207ca
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_2 = { 33c0 eb0a b917d90000 e8???????? }
            // n = 4, score = 600
            //   33c0                 | xor                 eax, eax
            //   eb0a                 | jmp                 0xc
            //   b917d90000           | mov                 ecx, 0xd917
            //   e8????????           |                     

        $sequence_3 = { e9???????? b949dc0000 e9???????? b944dc0000 e9???????? }
            // n = 5, score = 600
            //   e9????????           |                     
            //   b949dc0000           | mov                 ecx, 0xdc49
            //   e9????????           |                     
            //   b944dc0000           | mov                 ecx, 0xdc44
            //   e9????????           |                     

        $sequence_4 = { e9???????? b964dc0000 e9???????? b95ddc0000 }
            // n = 4, score = 600
            //   e9????????           |                     
            //   b964dc0000           | mov                 ecx, 0xdc64
            //   e9????????           |                     
            //   b95ddc0000           | mov                 ecx, 0xdc5d

        $sequence_5 = { e8???????? 85c0 750c b961030200 e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   b961030200           | mov                 ecx, 0x20361
            //   e8????????           |                     

        $sequence_6 = { 0f9cc0 eb02 32c0 84c0 }
            // n = 4, score = 600
            //   0f9cc0               | setl                al
            //   eb02                 | jmp                 4
            //   32c0                 | xor                 al, al
            //   84c0                 | test                al, al

        $sequence_7 = { e8???????? 85c0 750f b955960100 e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   b955960100           | mov                 ecx, 0x19655
            //   e8????????           |                     

        $sequence_8 = { 7409 f6405808 7503 33c0 }
            // n = 4, score = 400
            //   7409                 | je                  0xb
            //   f6405808             | test                byte ptr [eax + 0x58], 8
            //   7503                 | jne                 5
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 7405 3b4508 7504 c6463c03 }
            // n = 4, score = 400
            //   7405                 | je                  7
            //   3b4508               | cmp                 eax, dword ptr [ebp + 8]
            //   7504                 | jne                 6
            //   c6463c03             | mov                 byte ptr [esi + 0x3c], 3

        $sequence_10 = { 7508 0974241c 097c2418 8b542418 }
            // n = 4, score = 400
            //   7508                 | jne                 0xa
            //   0974241c             | or                  dword ptr [esp + 0x1c], esi
            //   097c2418             | or                  dword ptr [esp + 0x18], edi
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]

        $sequence_11 = { 7507 f7db 83d700 f7df 8b742474 }
            // n = 5, score = 400
            //   7507                 | jne                 9
            //   f7db                 | neg                 ebx
            //   83d700               | adc                 edi, 0
            //   f7df                 | neg                 edi
            //   8b742474             | mov                 esi, dword ptr [esp + 0x74]

        $sequence_12 = { 744e 0fb74802 83e103 3bcb }
            // n = 4, score = 400
            //   744e                 | je                  0x50
            //   0fb74802             | movzx               ecx, word ptr [eax + 2]
            //   83e103               | and                 ecx, 3
            //   3bcb                 | cmp                 ecx, ebx

        $sequence_13 = { 2403 80e110 8ad1 3c02 7509 }
            // n = 5, score = 400
            //   2403                 | and                 al, 3
            //   80e110               | and                 cl, 0x10
            //   8ad1                 | mov                 dl, cl
            //   3c02                 | cmp                 al, 2
            //   7509                 | jne                 0xb

        $sequence_14 = { 7405 894824 eb0d 807e1c00 894e04 7404 }
            // n = 6, score = 400
            //   7405                 | je                  7
            //   894824               | mov                 dword ptr [eax + 0x24], ecx
            //   eb0d                 | jmp                 0xf
            //   807e1c00             | cmp                 byte ptr [esi + 0x1c], 0
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   7404                 | je                  6

    condition:
        7 of them and filesize < 11116544
}
Download all Yara Rules