CryptBot Malware Analysis

Featured image
CryptBot series · 3 parts
  1. CryptBot Malware Analysis
  2. CryptBot v2.0 - Malware Analysis
  3. CryptBot v3 (Final) - Malware Analysis

Overview

CryptBot is a Windows-based Trojan malware first discovered in the wild in December 2019. It belongs to the prolific category of information stealers, whose primary objective is to gather sensitive data from infected devices and exfiltrate it to threat actors. This includes credentials, cryptocurrency wallets, browser data, and system information.

According to a detailed report from Darktrace, CryptBot draws inspiration from earlier infostealers like ZeuS (discovered in 2006). After ZeuS’s source code leaked, variants proliferated, and infostealers have since become a staple in cybercrime. In recent months, SOC (Security Operations Center) teams have observed multiple infections across customer bases involving similar stealers.

Key characteristics of CryptBot:


Analysis

Activities

Activity Dynamics

The following graph illustrates the dynamic behavior of CryptBot during infection, including initial execution, data collection, and exfiltration phases. The data took from MalwareHunter’s infographic.

CryptBot Dynamic.png

Malicious Infrastructure Growth Dynamics

This detailed graph shows the growth of CryptBot’s command-and-control (C2) infrastructure over time, highlighting domain registrations and IP changes.

CryptBot Dynamic Detailed.png

Programming Language

Based on the unpacked sample and the function declarations, revealed during the analysis by IDA Pro, the malware is written in C/C++. This is evident from low-level API calls, string handling, and memory management patterns observed in the disassembled code.

Unpacked CryptBot Code


Static Analysis

Static analysis reveals CryptBot’s configuration parsing, string obfuscation, and data theft routines. The malware uses UTF-16LE encoded strings and bracketed formats like [<Variable>] for config variables (e.g., [<Bitcoin>] for wallet data).

Configuration Parsing Snippet

Here’s a NASM snippet showing config parsing. Note the use of bracketed tags for variables like Process, Screenshot, and Key.

.rdata:004AC220 asc_4AC220:                             ; DATA XREF: sub_417E4C+142A↑o
.rdata:004AC220                 text "UTF-16LE", '[<',0
.rdata:004AC226 aProcess        db 'Process:',0
.rdata:004AC22F                 align 10h
.rdata:004AC230                 text "UTF-16LE", '>]',0
.rdata:004AC236                 align 4
.rdata:004AC238 a1:                                     ; DATA XREF: sub_417E4C:loc_41934E↑o
.rdata:004AC238                                         ; sub_4599AD+3B↑o ...
.rdata:004AC238                 text "UTF-16LE", '1',0
.rdata:004AC23C                 align 10h
.rdata:004AC240 asc_4AC240:                             ; DATA XREF: sub_417E4C+1592↑o
.rdata:004AC240                 text "UTF-16LE", '[<',0
.rdata:004AC246 aScreenshot     db 'Screenshot',0
.rdata:004AC251                 align 2
.rdata:004AC252                 db '>',0
.rdata:004AC254                 db ']',0
.rdata:004AC256                 align 4
.rdata:004AC258 a2              db '2',0                ; DATA XREF: sub_417E4C:loc_41941B↑o
.rdata:004AC25A                 align 10h
.rdata:004AC260 asc_4AC260:                             ; DATA XREF: sub_417E4C+166D↑o
.rdata:004AC260                 text "UTF-16LE", '[<',0
.rdata:004AC266 aKey_0          db 'Key',0
.rdata:004AC26A                 db    0
.rdata:004AC26B                 db  3Eh ; >
.rdata:004AC26C                 db    0
.rdata:004AC26D                 db  5Dh ; ]
.rdata:004AC26E                 db    0
.rdata:004AC26F                 db    0

Privilege Checks

The malware checks for Windows God Mode (a hidden feature for advanced settings) and admin privileges.

God Mode is a (clearly exaggerated) term for a folder that contains links to all kinds of system settings directly on your desktop (or wherever you choose to create it). Despite its intimidating name, God Mode is very easy to set up, and there’s almost no risk to it, aside from making important settings easily accessible.

PrivilegeChecks

Interesting Strings (Wallet Extensions)

CryptBot targets crypto wallets via browser extensions. Here’s a snippet showing hardcoded extension IDs and names.

.rdata:004A43F0 asc_4A43F0:                             ; DATA XREF: sub_401000+1E↑o
.rdata:004A43F0                                         ; sub_401887+1E↑o ...
.rdata:004A43F0                 text "UTF-16LE", '[<',0
.rdata:004A43F6 aFhbohimaelbohp db 'fhbohimaelbohpjbbldcngcnapndodjp',0  ; Extension ID for a wallet
.rdata:004A4417                 align 4
.rdata:004A4418                 text "UTF-16LE", '>]',0
.rdata:004A441E                 align 10h
.rdata:004A4420 asc_4A4420:                             ; DATA XREF: sub_401000+28↑o
.rdata:004A4420                                         ; sub_4011E0+134↑o ...
.rdata:004A4420                 text "UTF-16LE", '[<',0
.rdata:004A4426 aGuarda         db 'Guarda',0              ; Wallet name: Guarda
.rdata:004A442D                 align 2
.rdata:004A442E                 db '>',0
.rdata:004A4430                 db ']',0
.rdata:004A4432                 align 10h
.rdata:004A4440 asc_4A4440:                             ; DATA XREF: sub_401000+32↑o
.rdata:004A4440                                         ; sub_401887+32↑o ...
.rdata:004A4440                 text "UTF-16LE", '[<',0
.rdata:004A4446 aHpglfhgfnhbgpj db 'hpglfhgfnhbgpjdenjgmdgoeiappafln',0  ; Extension ID
.rdata:004A4467                 align 4
.rdata:004A4468                 text "UTF-16LE", '>]',0
.rdata:004A446E                 align 10h
.rdata:004A4470 asc_4A4470:                             ; DATA XREF: sub_401000+3C↑o
.rdata:004A4470                                         ; sub_401887+3C↑o ...
.rdata:004A4470                 text "UTF-16LE", '[<',0
.rdata:004A4476 aCoin98         db 'Coin98',0              ; Wallet name: Coin98
.rdata:004A447D                 align 2
.rdata:004A447E                 db '>',0
.rdata:004A4480                 db ']',0
.rdata:004A4482                 align 10h
.rdata:004A4490 asc_4A4490:                             ; DATA XREF: sub_401000+46↑o
.rdata:004A4490                                         ; sub_401887+46↑o ...
.rdata:004A4490                 text "UTF-16LE", '[<',0
.rdata:004A4496 aAeachknmefphep db 'aeachknmefphepccionboohckonoeemg',0   ; Extension ID
.rdata:004A44B7                 align 4
.rdata:004A44B8                 text "UTF-16LE", '>]',0
.rdata:004A44BE                 align 10h
.rdata:004A44C0 asc_4A44C0:                             ; DATA XREF: sub_401000+50↑o
.rdata:004A44C0                                         ; sub_401190+14↑o ...
.rdata:004A44C0                 text "UTF-16LE", '[<',0
.rdata:004A44C6 aMath           db 'Math',0                ; Wallet name: Math
.rdata:004A44CB                 align 4
.rdata:004A44CC                 text "UTF-16LE", '>]',0
.rdata:004A44D2                 align 10h
.rdata:004A44E0 asc_4A44E0:                             ; DATA XREF: sub_401000+5A↑o
.rdata:004A44E0                                         ; sub_401887+5A↑o ...
.rdata:004A44E0                 text "UTF-16LE", '[<',0
.rdata:004A44E6 aAfbcbjpbpfadlk db 'afbcbjpbpfadlkmhmclhkeeodmamcflc',0  ; Extension ID
.rdata:004A4507                 align 4
.rdata:004A4508                 text "UTF-16LE", '>]',0
.rdata:004A450E                 align 10h
.rdata:004A4510 asc_4A4510:                             ; DATA XREF: sub_401000+64↑o
.rdata:004A4510                                         ; sub_401887+64↑o ...
.rdata:004A4510                 text "UTF-16LE", '[<',0
.rdata:004A4516 aTronlink       db 'TronLink',0            ; Wallet name: TronLink
.rdata:004A451F                 align 10h
.rdata:004A4520                 text "UTF-16LE", '>]',0
.rdata:004A4526                 align 10h
.rdata:004A4530 asc_4A4530:                             ; DATA XREF: sub_401000+6E↑o
.rdata:004A4530                                         ; sub_401887+6E↑o ...
.rdata:004A4530                 text "UTF-16LE", '[<',0
.rdata:004A4536 aIbnejdfjmmkpcn db 'ibnejdfjmmkpcnlpebklmnkoeoihofec',0  ; Extension ID
.rdata:004A4557                 align 4
.rdata:004A4558                 text "UTF-16LE", '>]',0
.rdata:004A455E                 align 10h
.rdata:004A4560 asc_4A4560:                             ; DATA XREF: sub_401000+78↑o
.rdata:004A4560                                         ; sub_401887+78↑o ...
.rdata:004A4560                 text "UTF-16LE", '[<',0
.rdata:004A4566 aKeplr          db 'Keplr',0               ; Wallet name: Keplr

Initialization and Global Setup

The malware uses _initterm for initialization. Declarations reference multiple subroutines for setup.

initterm

Check functions retrieving globals:

renamed functions

The content type appears to be a struct for caching strings:

unsigned __int8 *__thiscall sub_407C62(unsigned __int8 *this)
{
  _BYTE *v2; // ebx
  _BYTE *v3; // esi
  int v4; // eax
  int v5; // ecx
  int v6; // esi

  if ( *this == 0x5B )
    return this + 6;
  if ( !dword_4BEF24 || !dword_4BEF20 )
    sub_407B97();
  v2 = malloc(__CFADD__(*this, 1) ? -1 : *this + 1);
  v3 = malloc(5u);
  *(_DWORD *)v3 = *(_DWORD *)(this + 1);
  v3[4] = this[5];
  memmove_0(v2, this + 6, *this);
  sub_407BF8((int)v2, *this);
  v2[*this] = 0;
  j___free_base(v3);
  v4 = sub_407C22(v2);
  v5 = dword_4BEF28;
  v6 = dword_4BEF28;
  if ( dword_4BEF28 < 0 )
  {
LABEL_8:
    *((_DWORD *)dword_4BEF24 + dword_4BEF28) = v4;
    *(_DWORD *)(dword_4BEF20 + 4 * v5) = v2;
    dword_4BEF28 = v5 + 1;
    return v2;
  }
  else
  {
    while ( *((_DWORD *)dword_4BEF24 + v6) != v4 )
    {
      if ( --v6 < 0 )
        goto LABEL_8;
    }
    j___free_base(v2);
    return *(unsigned __int8 **)(dword_4BEF20 + 4 * v6);
  }
}

Back to initial declarations (NASM):

.rdata:0049837C First           dd 0                    ; DATA XREF: __scrt_common_main_seh(void)+71↑o
.rdata:00498380                 dd offset sub_4765AF
.rdata:00498384                 dd offset sub_404D91
.rdata:00498388                 dd offset sub_404DCB
.rdata:0049838C                 dd offset sub_404DBF
.rdata:00498390                 dd offset sub_404DA7
.rdata:00498394                 dd offset sub_404DB3
.rdata:00498398                 dd offset mw_setup_stealer_strings
.rdata:0049839C                 dd offset sub_401190
.rdata:004983A0                 dd offset sub_4011E0
.rdata:004983A4                 dd offset sub_401381
.rdata:004983A8                 dd offset sub_4016C2
.rdata:004983AC                 dd offset sub_4017E7
.rdata:004983B0                 dd offset sub_401887
.rdata:004983B4                 dd offset sub_401A17
.rdata:004983B8                 dd offset sub_401A67
.rdata:004983BC                 dd offset sub_401C08
.rdata:004983C0                 dd offset sub_401F49
.rdata:004983C4                 dd offset sub_40206E
.rdata:004983C8                 dd offset sub_40210E
.rdata:004983CC                 dd offset sub_40229E
.rdata:004983D0                 dd offset sub_4022EE
.rdata:004983D4                 dd offset sub_40248F
.rdata:004983D8                 dd offset sub_4027D0
.rdata:004983DC                 dd offset sub_4028F5
.rdata:004983E0                 dd offset sub_402995
.rdata:004983E4                 dd offset sub_402B25
.rdata:004983E8                 dd offset sub_402B75
.rdata:004983EC                 dd offset sub_402D16
.rdata:004983F0                 dd offset sub_403057
.rdata:004983F4                 dd offset sub_40317C
.rdata:004983F8                 dd offset sub_40321C
.rdata:004983FC                 dd offset sub_4033AC
.rdata:00498400                 dd offset sub_4033FC
.rdata:00498404                 dd offset sub_40359D
.rdata:00498408                 dd offset sub_4038DE
.rdata:0049840C                 dd offset sub_403A03
.rdata:00498410                 dd offset sub_403AA3
.rdata:00498414                 dd offset sub_403CFC
.rdata:00498418                 dd offset sub_403D75
.rdata:0049841C                 dd offset sub_403FF8
.rdata:00498420                 dd offset sub_404339
.rdata:00498424                 dd offset sub_40445E
.rdata:00498428                 dd offset sub_4044FE
.rdata:0049842C                 dd offset sub_40468E
.rdata:00498430                 dd offset sub_4046DE
.rdata:00498434                 dd offset sub_40487F
.rdata:00498438                 dd offset sub_404BC0
.rdata:0049843C                 dd offset sub_404CE5
.rdata:00498440                 dd offset sub_404D85

Encryption/Decryption Routine

CryptBot uses XOR for string and config decryption. Here’s the routine:

int sub_417AD2()
{
  int result; // eax
  int v1; // esi
  char *v2; // ecx
  char *v3; // edi
  _BYTE *v4; // ecx
  unsigned int v5; // eax
  int v6; // ecx
  unsigned int v7; // [esp-8h] [ebp-14h]
  int v8; // [esp+8h] [ebp-4h]

  result = 0;
  memset(dword_4BFC80, 0, 0x400u);
  if ( a7m1fqxrljy[0] != 9 )
  {
    v1 = 0;
    v2 = a7m1fqxrljy;
    dword_4BEFA4 = 0;
    v8 = 0;
    do
    {
      v3 = &a7m1fqxrljy[result + 1];
      if ( !a7m1fqxrljy[result] )
      {
        dword_4BFC80[v1] = (int)v2;
        v2 = &a7m1fqxrljy[result + 1];
        if ( !v1 )
        {
          if ( !*(_BYTE *)dword_4BFC80[0] )
            break;
          v7 = 11998 - sub_4746DB((_BYTE *)dword_4BFC80[0]);
          v5 = sub_4746DB(v4);
          sub_47420E(v6, v5, (int)v3, v7);
          result = v8;
          v2 = v3;
        }
        ++v1;
      }
      if ( v1 == 200 || *(v3 - 1) == 9 && *v3 == 9 )
        break;
      v8 = ++result;
    }
    while ( result < 12000 );
    dword_4BEFA4 = v1;
  }
  return result;
}

The core XOR function (sub_47420E):

void __fastcall sub_47420E(int a1, unsigned int a2, int a3, unsigned int a4)
{
  unsigned int i; // esi

  for ( i = 0; i < a4; ++i )
    *(_BYTE *)(i + a3) ^= *(_BYTE *)(i % a2 + a1);
}
void __fastcall mw_xor(int arg_key, unsigned int arg_key_len, int arg_in_out, unsigned int arg_len)
{
  unsigned int i; // esi

  for ( i = 0; i < arg_len; ++i )
    *(_BYTE *)(i + arg_in_out) ^= *(_BYTE *)(i % arg_key_len + arg_key);
}

IDA view of the XOR routine:

xor routine

Config Decryption Example

The key 7m1fqXrLJy is hardcoded. XOR Key

Using CyberChef or similar tools:

  1. Extract encrypted data as hex (e.g., 5F1945164B775D2938175E064452437606233A56500C45035F281A3C717974025E0D183D).
  2. Convert to UTF-8.
  3. XOR with key 7m1fqXrLJy.

Decrypted Config

Result: Decrypted config like http://erniku42.top/gate.php;.Cookie.

Signature for key check:

B9 00 01 00 00                          mov     ecx, 100h
80 3D ?? ?? ?? ?? 09                    cmp     byte ptr a7m1fqxrljy, 9 ; "7m1fqXrLJy"

Note: Keys vary across samples; ?? represents placeholders.

Malware Configuration Extractor

This Python script extracts the encrypted config using PE parsing and XOR decryption. It’s self-contained and works on unpacked samples.

# CryptBot Configuration Extractor
# This script extracts the encrypted configuration from an unpacked CryptBot malware sample.
# It locates the XOR key and encrypted config data in the .text section of a PE file,
# decrypts the config using the identified key, and outputs the C2 address and settings.
# Dependencies: pefile, re, struct
# Usage: Replace '/tmp/cryptbot.bin' with the path to your malware sample.
# Output: A dictionary containing the C2 URL and key-value settings.

import re
import pefile
import struct

file_data = open('/tmp/cryptbot.bin', 'rb').read()
pe = pefile.PE(data = file_data)
image_base = pe.OPTIONAL_HEADER.ImageBase

text_data = None

for s in pe.sections:
    if b'.text' == s.Name[:5]:
        text_data = s.get_data()
        break

assert text_data is not None

# Regular expressions to match XOR key check instructions
# These patterns look for specific assembly instructions that reference the XOR key
eggs = [
        rb'\x80\x3D(....)\x09\xB9\x00\x01\x00\x00',
        rb'\xB9\x00\x01\x00\x00\x80\x3D(....)\x09'
        ]

candidate_offsets = []

for egg in eggs:
    for m in re.finditer(egg, text_data, re.DOTALL):
        try:
            candidate_va = struct.unpack('<I', m.group(1))[0]
            candidate_offset = pe.get_offset_from_rva(candidate_va - image_base)
            candidate_offsets.append(candidate_offset)
        
        except:
            print(f"failed for group {m.group(1)}!")
            pass

assert len(candidate_offsets) != 0

def xor_decrypt(data, key):
    out = []
    for i in range(len(data)):
        out.append(data[i] ^ key[i % len(key)])
    return bytes(out)


def get_config(data, offset):
    key = data[offset:].split(b'\x00')[0]
    assert 5 < len(key) < 20
    config_data_enc = data[offset + len(key) + 1:]
    return xor_decrypt(config_data_enc, key)

config_data = None

for candidate_offset in candidate_offsets:
    try:
        tmp_config = get_config(file_data, candidate_offset)
        if tmp_config[:4] == b'http':
            config_data = tmp_config
            break
    except:
        pass

assert config_data is not None

config_array = []
for a in config_data.split(b'\x00'):
    if not a.isascii():
        break
    config_array.append(a)

c2 = config_array[0]
settings = []

for config_entries in config_array[1:]:
    for entry in config_entries.split(b'<>\r\n'):
        if len(entry) == 0:
            continue
        settings.append({'key': entry.split(b'<>_<>')[0].decode('utf-8'),'value':entry.split(b'<>_<>')[1].decode('utf-8')})

assert len(settings) != 0

final_config = {'C2':c2, 'Settings':settings}

print(final_config)

Running the script on a sample will yield the C2 address and configuration settings used by the malware as the following output:

{
   "C2":"b""http://erniku42.top/gate.php;",
   "Settings":[
      {
         "key":"CookiesEdge",
         "value":"false"
      },
      {
         "key":"HistoryEdge",
         "value":"false"
      },
      {
         "key":"HistoryFirefox",
         "value":"false"
      },
      {
         "key":"EdgeDB",
         "value":"true"
      },
      {
         "key":"Edge",
         "value":"false"
      },
      {
         "key":"Files",
         "value":"false"
      },
      {
         "key":"Opera",
         "value":"false"
      },
      {
         "key":"CookiesOpera",
         "value":"false"
      },
      {
         "key":"HistoryOpera",
         "value":"false"
      },
      {
         "key":"Screenshot",
         "value":"true"
      },
      {
         "key":"Chrome",
         "value":"false"
      },
      {
         "key":"Info",
         "value":"true"
      },
      {
         "key":"HistoryChrome",
         "value":"false"
      },
      {
         "key":"ChromeDB",
         "value":"true"
      },
      {
         "key":"Wallet",
         "value":"true"
      },
      {
         "key":"ChromeExt",
         "value":"true"
      },
      {
         "key":"Firefox",
         "value":"false"
      },
      {
         "key":"CookiesChrome",
         "value":"false"
      },
      {
         "key":"FirefoxDB",
         "value":"true"
      },
      {
         "key":"CookiesFirefox",
         "value":"false"
      },
      {
         "key":"Desktop",
         "value":"true"
      },
      {
         "key":"EdgeExt",
         "value":"true"
      },
      {
         "key":"CookiesFile",
         "value":"_AllCookies.txt"
      },
      {
         "key":"HistoryFile",
         "value":"_AllHistory.txt"
      },
      {
         "key":"NTFS",
         "value":"true"
      },
      {
         "key":"Key",
         "value":"NkB7vazOVtAR2LZ"
      },
      {
         "key":"DesktopFolder",
         "value":"_Desktop"
      },
      {
         "key":"UAC",
         "value":"false"
      },
      {
         "key":"ScreenFile",
         "value":"$CREEN.PNG"
      },
      {
         "key":"DeleteAfterEnd",
         "value":"true"
      },
      {
         "key":"MessageAfterEnd",
         "value":"false"
      },
      {
         "key":"FirefoxDBFolder",
         "value":"_Firefox"
      },
      {
         "key":"Anti",
         "value":"false"
      },
      {
         "key":"EdgeDBFolder",
         "value":"_Edge"
      },
      {
         "key":"UserAgent",
         "value":""
      },
      {
         "key":"Prefix",
         "value":"mrd-"
      },
      {
         "key":"WalletFolder",
         "value":"_Wallet"
      },
      {
         "key":"PasswordFile",
         "value":"_AllPasswords.txt"
      },
      {
         "key":"ChromeDBFolder",
         "value":"_Chrome"
      },
      {
         "key":"ExternalDownload",
         "value":"http://ovapfa05.top/unfele.dat"
      },
      {
         "key":"FilesFolder",
         "value":"_Files"
      },
      {
         "key":"InfoFile",
         "value":"_Information.txt"
      }
   ]
}

Impersonation

An interesting finding: CryptBot impersonates legitimate software from “Dinkumware Ltd” (a C++ library provider) to blend in.

After running YARA (see below), another sample was hit: eeded5f5d006dacd9e2f33ba9fad47332c04b57f621c89731376f51127198345.

Impersonation


YARA Rule

This refined YARA rule detects CryptBot based on characteristic strings for system info collection. It includes more specificity and metadata.

rule CryptBot {
    meta:
        description = "Detects CryptBot infostealer based on characteristic strings in its configuration or output"
        triage_description = "Identifies CryptBot malware by matching strings related to system information collection, such as UID, UserName, ComputerName, and admin status"
        triage_score = 8
        author = "0xw43l"
        date = "2025-08-15"
        reference = "https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/"
        hash = "7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d"
    strings:
        $s1 = "UID:" ascii wide
        $s2 = "UserName:" ascii wide
        $s3 = "ComputerName:" ascii wide
        $s4 = "DateTime:" ascii wide
        $s5 = "UserAgent:" ascii wide
        $s6 = "Keyboard Languages:" ascii wide
        $s7 = "Display Resolution:" ascii wide
        $s8 = "CPU:" ascii wide
        $s9 = "RAM:" ascii wide
        $s10 = "GPU:" ascii wide
        $s11 = "isGodMod: yes" ascii wide
        $s12 = "isGodMod: no" ascii wide
        $s13 = "isAdmin: yes" ascii wide
        $s14 = "isAdmin: no" ascii wide
        $s15 = "Installed software:" ascii wide
        $xor_key = "7m1fqXrLJy" ascii // Common XOR key
    condition:
        uint16(0) == 0x5A4D and // PE header
        all of ($s*) or
        ($xor_key and 10 of ($s*))
}

MITRE ATT&CK

CryptBot aligns with several MITRE ATT&CK techniques. Below is a mapping based on observed behaviors:

Tactic Technique ID Technique Name Description
Initial Access T1189 Drive-by Compromise Distributed via malvertising or fake software downloads.
Execution T1204 User Execution: Malicious File Users execute cracked software bundles.
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys Adds registry entries for persistence.
Privilege Escalation T1068 Exploitation for Privilege Escalation Checks for admin/God Mode and escalates if possible.
Defense Evasion T1027 Obfuscated Files or Information Uses XOR encryption for strings and config.
Credential Access T1555 Credentials from Password Stores Steals browser passwords and cookies.
Discovery T1082 System Information Discovery Collects UID, CPU, RAM, GPU, etc.
Collection T1113 Screen Capture Takes screenshots.
Collection T1056.001 Input Capture: Keylogging Captures keystrokes.
Exfiltration T1041 Exfiltration Over C2 Channel Sends data to C2 via HTTP.

IOCs

The following table consolidates Indicators of Compromise (IOCs) related to CryptBot, PrivateLoader, SmokeLoader, Amadey, Lumma, Stealc, and Redline malware, including file hashes, domains, IP addresses, ASNs, and specific URLs used for command-and-control (C2) or payload delivery. These IOCs can be used for detection, threat hunting, and mitigation in security operations.

Value Type Description
da7fadc671804e093c7dcad3455a266e77d2c84b641ae037c70004daaa05b897 SHA-256 CryptBot – “Channel4.exe”
8874ee4d9c878a6dc7f2681ec36df05cb09c44ccb3be0ec89569f5bdece80519 SHA-256 CryptBot – “66dd5fafdeab3_lyla.exe”
2a5dd73271b9eabe63e7aefc5dc2ec01921ffba8bfa7ee278a2180e597c97bf7 SHA-256 CryptBot – “Set-up.exe”
319d1dc217b7e83a85dd62cb2c066156ba5579087f11c991a99089606979ca28 SHA-256 PrivateLoader payload
7631726b15a0cba30f88268df626df7a053c044efc78f772ade21e879cc7ae58 SHA-256 SmokeLoader payload
7b41cabcafca0e5725c874d316f4f5f83561fa571240c0ccdd8b19034282bf41 SHA-256 Amadey payload
dfdc63994c85f7161e25a26b762835781ce5578c6a5b5c2839324fc7faa591d3 SHA-256 Stage2 CryptBot payload DLL
dfefcc62121ee76f84d382fc622b61321f149a04a848c8cb987a7bda7ca59941 SHA-256 Stage2 CryptBot payload DLL
tventyv20sb[.]top Domain CryptBot C2
twoxv2sr[.]top Domain CryptBot C2
analforeverlovyu[.]top Domain CryptBot C2
thirtv13pn[.]top Domain CryptBot C2
bdtwo2sb[.]top Domain CryptBot C2
neiz19ht[.]top Domain CryptBot C2
levz11ht[.]top Domain CryptBot C2
fifxv15pn[.]top Domain CryptBot C2
fivevd5ht[.]top Domain CryptBot C2
sevtvd17ht[.]top Domain CryptBot C2
rxeight8ht[.]top Domain CryptBot C2
salvatiiywo[.]shop Domain Lumma C2
ignoracndwko[.]shop Domain Lumma C2
preachstrwnwjw[.]shop Domain Lumma C2
complainnykso[.]shop Domain Lumma C2
basedsymsotp[.]shop Domain Lumma C2
charistmatwio[.]shop Domain Lumma C2
grassemenwji[.]shop Domain Lumma C2
stitchmiscpaew[.]shop Domain Lumma C2
commisionipwn[.]shop Domain Lumma C2
epohe[.]ru Domain SmokeLoader C2
olihonols.in[.]net Domain SmokeLoader C2
nicetolosv[.]xyz Domain SmokeLoader C2
jftolsa[.]ws Domain SmokeLoader C2
download-rarfree[.]com Domain Redirecting to CryptBot payloads
rar-uploader[.]com Domain Redirecting to CryptBot payloads
economartbd[.]com Domain Redirecting to CryptBot payloads
rarz-uploader[.]com Domain Redirecting to CryptBot payloads
adsbell[.]com Domain Redirecting to CryptBot payloads
voiceofchangeinternational[.]com Domain Redirecting to CryptBot payloads
rar-freeload[.]com Domain Redirecting to CryptBot payloads
rars-freeload[.]com Domain Redirecting to CryptBot payloads
download-rarsfree[.]com Domain Redirecting to CryptBot payloads
rarzload-official[.]com Domain Redirecting to CryptBot payloads
Chuanpupu[.]com Domain Redirecting to CryptBot payloads
techjbc[.]xyz Domain Redirecting to CryptBot payloads
papiblendz[.]com Domain Redirecting to CryptBot payloads
sarahmakesitbetter[.]com Domain Redirecting to CryptBot payloads
rivistablog[.]com Domain Redirecting to CryptBot payloads
anotherconversation[.]com Domain Redirecting to CryptBot payloads
super6-star[.]buzz Domain Redirecting to CryptBot payloads
bluelineagenciamentodecargas[.]com Domain Redirecting to CryptBot payloads
peace-motion[.]buzz Domain Redirecting to CryptBot payloads
131ldvip[.]com Domain Redirecting to CryptBot payloads
onlineofficetutorials[.]com Domain Redirecting to CryptBot payloads
puntext[.]com Domain Redirecting to CryptBot payloads
free4pc[.]shop Domain Redirecting to CryptBot payloads
allgetintopcc[.]cfd Domain Redirecting to CryptBot payloads
techjbc[.]cfd Domain Redirecting to CryptBot payloads
sultanisback[.]pro Domain Redirecting to CryptBot payloads
filemirrormegaz[.]shop Domain Redirecting to CryptBot payloads
uznhmij5kr2307244[.]click Domain Redirecting to CryptBot payloads
afrdrctf[.]com Domain Redirecting to CryptBot payloads
up4pc[.]com Domain Offering fake cracked software
driver-booster-key[.]com Domain Offering fake cracked software
securecracked[.]info Domain Offering fake cracked software
filecrr[.]org Domain Offering fake cracked software
soft98[.]org Domain Offering fake cracked software
haxpc[.]net Domain Offering fake cracked software
muzamilpc[.]com Domain Offering fake cracked software
alphasofts[.]net Domain Offering fake cracked software
preactivated[.]net Domain Offering fake cracked software
mycrackfree[.]com Domain Offering fake cracked software
drapk[.]net Domain Offering fake cracked software
rgames31[.]com Domain Offering fake cracked software
windows-7-activator[.]com Domain Offering fake cracked software
modcrack[.]net Domain Offering fake cracked software
office-activator[.]com Domain Offering fake cracked software
official-kmspico[.]com Domain Offering fake cracked software
kmspico[.]ws Domain Offering fake cracked software
kmspicoofficial[.]com Domain Offering fake cracked software
windows4pc[.]com Domain Offering fake cracked software
windowsprodcutkey[.]com Domain Offering fake cracked software
activationkeysfree[.]org Domain Offering fake cracked software
serialhax[.]org Domain Offering fake cracked software
bcrack[.]org Domain Offering fake cracked software
crack4tech[.]org Domain Offering fake cracked software
crackedaxe[.]com Domain Offering fake cracked software
crackingcity[.]org Domain Offering fake cracked software
crackspc[.]net Domain Offering fake cracked software
fileserialkey[.]net Domain Offering fake cracked software
fullycracksoft[.]com Domain Offering fake cracked software
ifree4pc[.]net Domain Offering fake cracked software
productkeysfree[.]org Domain Offering fake cracked software
tech4pc[.]org Domain Offering fake cracked software
winows4pc[.]com Domain Offering fake cracked software
4mirrorpc[.]net Domain Offering fake cracked software
drfiles[.]net Domain Offering fake cracked software
haxacademy[.]net Domain Offering fake cracked software
crackfullpc[.]org Domain Offering fake cracked software
crackmacs[.]org Domain Offering fake cracked software
crackmarkets[.]com Domain Offering fake cracked software
pesktop[.]org Domain Offering fake cracked software
crackpcsoft[.]org Domain Offering fake cracked software
crackdownloads[.]org Domain Offering fake cracked software
iup4pc[.]net Domain Offering fake cracked software
crackingpc[.]net Domain Offering fake cracked software
downloadvst[.]com Domain Offering fake cracked software
licensedfull[.]com Domain Offering fake cracked software
vstcrackpc[.]com Domain Offering fake cracked software
vstpropc[.]com Domain Offering fake cracked software
vstdownload[.]org Domain Offering fake cracked software
activationskey[.]com Domain Offering fake cracked software
allmacworld[.]net Domain Offering fake cracked software
cracked-minecraft[.]com Domain Offering fake cracked software
crackedvpn[.]com Domain Offering fake cracked software
crackfix[.]net Domain Offering fake cracked software
crackfullkeys[.]com Domain Offering fake cracked software
crackfullpc[.]net Domain Offering fake cracked software
cracksecure[.]com Domain Offering fake cracked software
cracksoftpro[.]com Domain Offering fake cracked software
crackswatch[.]com Domain Offering fake cracked software
crackvstpc[.]com Domain Offering fake cracked software
downloadworld[.]org Domain Offering fake cracked software
fullidmcrack[.]com Domain Offering fake cracked software
fullproductkeys[.]com Domain Offering fake cracked software
idmfreedownload[.]net Domain Offering fake cracked software
idmfullcrack[.]info Domain Offering fake cracked software
idmpatchdownload[.]com Domain Offering fake cracked software
idmpatched[.]com Domain Offering fake cracked software
idmpc[.]co Domain Offering fake cracked software
igetintopc[.]com[.]pk Domain Offering fake cracked software
kanjupc[.]com Domain Offering fake cracked software
keyproductkey[.]com Domain Offering fake cracked software
licensekey[.]cc Domain Offering fake cracked software
macsoftkey[.]com Domain Offering fake cracked software
naveedcrack[.]com Domain Offering fake cracked software
office4pc[.]com Domain Offering fake cracked software
pc4download[.]com Domain Offering fake cracked software
pcbank[.]org Domain Offering fake cracked software
pccrack[.]org Domain Offering fake cracked software
pcdrives[.]org Domain Offering fake cracked software
pcexe[.]net Domain Offering fake cracked software
pcsoftcrack[.]net Domain Offering fake cracked software
pdffree[.]net Domain Offering fake cracked software
pluginstorrent[.]net Domain Offering fake cracked software
premiumpc[.]net Domain Offering fake cracked software
premiumpc[.]org Domain Offering fake cracked software
procracked[.]org Domain Offering fake cracked software
procrackwin[.]com Domain Offering fake cracked software
productkeycrack[.]com Domain Offering fake cracked software
productkeyspc[.]com Domain Offering fake cracked software
productskey[.]org Domain Offering fake cracked software
prolicensefree[.]com Domain Offering fake cracked software
proserialcrack[.]com Domain Offering fake cracked software
proserialfree[.]com Domain Offering fake cracked software
provstpc[.]com Domain Offering fake cracked software
pubgcrack[.]net Domain Offering fake cracked software
rootcracks[.]com Domain Offering fake cracked software
sadeempc[.]info Domain Offering fake cracked software
securecracked[.]info Domain Offering fake cracked software
seriakkeyforfree[.]com Domain Offering fake cracked software
softsmac[.]net Domain Offering fake cracked software
softwarein1[.]com Domain Offering fake cracked software
softwarekeep[.]info Domain Offering fake cracked software
starcracked[.]net Domain Offering fake cracked software
startcrack[.]info Domain Offering fake cracked software
topfullcrack[.]com Domain Offering fake cracked software
topfullkeys[.]com Domain Offering fake cracked software
torrent4pc[.]com Domain Offering fake cracked software
torrentpc[.]org Domain Offering fake cracked software
vst4cracked[.]com Domain Offering fake cracked software
vst4pc[.]com Domain Offering fake cracked software
vstfree[.]org Domain Offering fake cracked software
vstfreedownload[.]com Domain Offering fake cracked software
vstfullpc[.]com Domain Offering fake cracked software
vstpc[.]com Domain Offering fake cracked software
vstpluginsdownload[.]org Domain Offering fake cracked software
vstzip[.]com Domain Offering fake cracked software
wincrackbox[.]com Domain Offering fake cracked software
soft-got[.]org Domain Offering fake cracked software
185.244.181[.]38 IPv4 CryptBot C2
81.94.159[.]120 IPv4 CryptBot C2
103.130.147[.]211 IPv4 Hosting malwares
147.45.44[.]104 IPv4 Hosting malwares - Operated by PrivateLoader
31.41.244[.]9 IPv4 Hosting malwares - Operated by PrivateLoader
176.111.174[.]109 IPv4 Hosting malwares - Operated by PrivateLoader
147.45.47[.]169 IPv4 PrivateLoader C2
212.113.116[.]202 IPv4 PrivateLoader C2
62.133.61[.]172 IPv4 PrivateLoader C2
45.91.200[.]135 IPv4 PrivateLoader C2
92.246.139[.]82 IPv4 PrivateLoader C2
185.215.113[.]16 IPv4 Amadey C2
185.215.113[.]19 IPv4 Amadey C2
185.215.113[.]17 IPv4 Stealc C2
91.202.233[.]158 IPv4 Stealc C2
185.215.113[.]67 IPv4 Redline C2
65.21.18[.]51 IPv4 Redline C2
215789 ASN “Karina Rashkoska”
214927 ASN “PSB HOSTING LTD”
210644 ASN “Aeza International Ltd”
216246 ASN “Aeza Group Ltd.”
51381 ASN “1337TEAM LIMITED”
60424 ASN “1337TEAM LIMITED”
56873 ASN “1337TEAM LIMITED”
39770 ASN “1337TEAM LIMITED”
200593 ASN “PROSPERO OOO”

URLs

The following URLs are associated with CryptBot C2 or payload delivery:

Sample Files (Downloader SHA-256 Hashes)

The following is a list of downloader samples associated with CryptBot and related malware:


References