Analysis Summary

CryptBot - a Windows malware - is capable of stealing credentials for browsers, cryptocurrency wallets, browser cookies, and credit cards, and creates screenshots of the infected system. Cryptbot hides within legitimate software to be installed by its victims. CryptBot threat actors spread malware via websites purportedly offering software cracks, key generators, or other tools. To gain widespread visibility, threat actors utilize search engine optimization to position malware distribution sites toward the top of Google search results, resulting in a steady stream of potential victims. It can also spread through a fake VPN client which is called Inter VPN, when executed, it infects the system with Cryptbot and Vidar which then runs an AutoHotKey script leading to download executables from malicious websites.

Impact

• Credential Theft
• Information Theft
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• 83f979357b6142fdb29af934fa314e63
• e1c02bdd27200a2881dd2883ecfc9844
• a741208b11e340f91215eebb5f1c05f7
• 7105a2ba8c897b6c2072a6ab0bdecdf1
• e071b6dd90f4c7a9d23632bfb9517925
• 3195fa517818ae805403fc975213e9b4
• 49d7ba824b7249c26927e8a086eb879b
• 1b05ebbfcec15b251b93721338e525c8
• bd86c7f8fa17c9a08f0ed2e829255c62

SHA-256

• dc26f099c5875a25fab9ed9bf97c941e6e8bb61dcbc67897c2b758e30ad265a3
• 20061bce629f4e86cb50cb6464e28b3ddd2d0a31be41a5962e2cf439386ac730
• ac9d0b246600964d743b74a30f3bb38ee21c8365c28e6427f3f29d0a2daea370
• abc53ac9f7564ceba0a7548b880b1e92c8e0329ff9680e3c5f06abcbd4e869b9
• 70f887fea5277999b9f7c5b725a2601ea42f53c3de6f218867509057021d58be
• d8689dcc36f611d77d6f6d1eb1ed8b872104a38568740936209114835a441048
• a10386e4d53db8a045aedf7261adfbe05c0afd80a2550b7ad856cec3663cc66d
• ab30569e57ecb3c3d674890e89a90bebe8884071053a48c2a18dbf8ffc8aa7c3
• 14071621305caf3017b55255d6759ef0cbf22a811be2a490e31b6d5aca3c9964

SHA1

• fe271119b6c4ad30ec35eaaee48ee008718c0be7
• a3698b7ce84b65c7e851ab34e2e13e712f4c2c48
• 36ea40e7aaddec858d80c63825107c313c21d155
• d3659027483c2825c8430a41a0c3e439aac78e2f
• 9ef06985e2f58c3cd0a64780819e7812d6ae849e
• 43f5dbcd65c3e8fcbf106f4acd95ee26acd5c5ac
• 51596a606413b95477c9f655c2dfad328a94baf0
• 475e17fb4ea6e1d41b18086c541c338b862e1bf4
• b9586ca88021f12e8b0c285ab7a611457fb48052

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.