{ "id": "4cec94be-0caa-4f1b-b6f9-238e3cb8c62c", "created_at": "2026-04-06T00:13:07.564732Z", "updated_at": "2026-04-10T03:36:47.799801Z", "deleted_at": null, "sha1_hash": "03afe5da7785b2661c403086f261230ea67a4d0d", "title": "CryptBot - Too good to be true", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3659138, "plain_text": "CryptBot - Too good to be true\r\nArchived: 2026-04-05 23:11:10 UTC\r\nMarch 16, 2022 - Reading time: 13 minutes\r\nCryptBot is an information stealer distributed by fake cracked software, it is an advanced and mature operation\r\nproviding many of the underground shops with its stolen credentials.\r\nForeword\r\nWhen observing an actor that isn't quite skilled in the art of malware distribution it is likely that you may come\r\nacross them distributing their malware under the guise of free cracked software. This technique is common but not\r\neffective in luring what would be considered a \"good\" or profitable infection. CryptBot ignores this and takes the\r\nscale up a few notches. CryptBot is distributed by the InstallUSD PPI and receives thousands of infections daily. \r\nFigure 0: Example of download site\r\nOnce downloaded the file will usually be an archive with a password. After being unzipped the produced file will\r\nbe an installer that is incredibly inflated ranging from 300-700mb, this is to avoid AV scans of the file. Upon\r\nrunning the installer CryptBot will be dropped to the system and run.\r\nAnti-Analysis \u0026 Preparations\r\nLike other malware, before CryptBot carries out any of its main functionality it'll check the system it's running on.\r\nCryptBot attempts to avoid systems that it believes may be being used for analysis or emulation. If these checks\r\nfail CryptBot will exit and remove itself from the system. The first check is to check the registry for the systems'\r\nhttps://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nPage 1 of 8\n\nWindows product name and processor name. After these have been queried it will proceed to call GetUserNameW\r\nto get the name of the current user. \r\nFigure 1: System information queries\r\nCryptBot uses a folder within %AppData% to determine whether or not it has been ran on the infected system\r\nbefore. This folder is named \"kashga\". Before proceeding further it will check the permissions of this folder and if\r\nit exists then the malware will exit. To avoid being run in an environment with anti-virus, CryptBot will check if\r\nany are installed. To accomplish this it will check two installation paths of popular anti virus products and see if\r\nthey exist. The paths are:\r\n%ProgramData%\\\\AVG\r\n%ProgramData%\\\\AVAST Software\r\nIf these paths exist then the malware will sleep then exit. If the paths do not exist then it'll proceed to call\r\nGetSystemInfo. The system infos number of processor cores is then compared to 1, if the count of cores is equal to\r\n1 the malware will exit. GetSystemMetrics is called with parameter 0 to get the resolution width of the screen, if\r\nthe size is below 1033 the malware will exit. CryptBot calls GlobalMemoryStatusEx and checks the size of the\r\nsystem's memory and checks that it is above 2gb. Lastly CryptBot will query the ProcessorNameString from the\r\nregistry key \"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\" and check\r\nthat the string does not contain Xeon which is a brand of Intel CPUs commonly found in servers. If the string does\r\ncontain \"xeon\" the check fails.\r\nhttps://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nPage 2 of 8\n\nFigure 2: Anti analysis checks\r\nAfter all checks have passed, CryptBot creates the exfil folder and the subfolders within it, they are the following:\r\n\\\\_Files\r\n\\\\_Files\\\\_Files\r\n\\\\_Files\\\\_Wallet\r\n\\\\_Files\\\\_Chrome\r\n\\\\_Files\\\\_Opera\r\n\\\\_Files\\\\_Brave\r\n\\\\_Files\\\\_Firefox\r\nBrowser Stealer\r\nCryptBot, unlike other malware, does not target many different browsers. Instead it only targets the most\r\ncommonly used browsers: Chrome, Opera, Brave and Firefox. Beginning its theft, CryptBot steals from Firefox. It\r\nexpands the %AppData% location and determines the profiles.ini file which is the storage of Firefox. CryptBot\r\nthen locates and copies the following files into the CryptBot exfiltration folder.\r\ncookies.sqlite\r\nformhistory.sqlite\r\nlogins.json\r\nsignons.sqlite\r\nkey4.db\r\nkey3.db\r\nhttps://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nPage 3 of 8\n\nThese files can then be decrypted by the operators of CryptBot to retrieve credentials of the victim. Like the theft\r\nfrom Firefox, CryptBot uses the same technique to steal the following files from Brave, Opera and Chrome. Its\r\ntheft from these browsers is done with one function as the browsers all use Chromium. The function finds the\r\nlocal storage of the browsers and copies the following files:\r\ndefault_logins\r\ndefault_cookies\r\ndefault_webdata\r\ndefault_key\r\nThe files are copied into their respective exfil directory.\r\nGrab System Information\r\nSo that the operators of CryptBot can get an idea of the system that they have infected, the malware will collect\r\ninformation about the system. It begins by creating a file in the exfil directory named \"_Information.txt\". It then\r\ncalls GetModuleFileNameW to get the path of itself and writes this to the file. Next the malware queries\r\n\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\" from the registry and\r\ngrabs the following keys:\r\nProductName\r\nCurrentBuildNumber\r\nReleaseId\r\nTo determine if the infected system is a 64bit OS the malware will use ExpandEnvironmentStringsW for the path\r\nstring \"%WINDIR%\\\\SysWOW64\" and then check if the file exists. If the file exists then the infected system is\r\n64bit and if not it is 32bit. This result is written to the system information file. The results of the queried keys are\r\nalso written to the system information file. \r\nhttps://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nPage 4 of 8\n\nFigure 3: Get and write OS details\r\nTo determine the OS language CryptBot calls GetUserDefaultLocaleName and writes it to the file. Then it calls\r\nGetKeyboardLayoutList and writes the results as the keyboard languages. Next it writes the local time and queries\r\nthe UserName and ComputerName which are also written into the information file. CryptBot queries the registry\r\nfor \"\"HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\0\" and grabs information about the CPU, then\r\nusing other system calls it gets information about the system's RAM, GPU and display size. Lastly it queries:\r\nHKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\r\nHKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\r\nHKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\r\nThis is to get the installed software on the system and write these to the information document. \r\nWallet \u0026 File Grabber\r\nCryptBot goes after all text files on the Desktop. It does this by expanding the\r\n\"%USERPROFILE%\\\\Desktop\\\\*.txt\" path string and then copying all the files matching this into the exfil\r\ndirectory path. After this the malware copies the files from the following wallets into the exfil directory.\r\nhttps://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nPage 5 of 8\n\nFigure 4: Get crypto wallet files\r\nExtensions Stealer\r\nA modern development in information stealers is to steal from browser extensions. These extensions are\r\ncommonly used to control cryptocurrency and are now targeted more commonly than system based wallets.\r\nCryptBot targets Chrome, Brave and Opera for these extensions. Like the malwares' theft from browsers,\r\nCryptBot makes use of a do all function that takes the arguments of the browsers storage and the profile to be\r\nused. The locations are:\r\n%LocalAppData%\\\\Google\\\\Chrome\\\\User Data\r\n%LocalAppData%\\\\BraveSoftware\\\\Brave-Browser\\\\User Data\r\n%AppData%\\\\Opera Software\r\nCryptBot reuses its technique from browser theft here where it'll simply locate the extension it wants to steal from\r\nand then copy the contents into the exfil directory if the extension is installed. These are the extensions it steals\r\nfrom and their ID.\r\nMetaMask, nkbihfbeogaeaoehlefnkodbefgpgknn\r\nAxie Infinity, fnjhmkhhmkbjkkabndcnnogag\r\nYoroi, ffnbelfdoeiohenkjibnmadjiehjhajb\r\nTron Link, ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nNifty Wallet, jbdaocneiiinmjbjlgalhcelgbejmnid\r\nMath Wallet, afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nCoinBase Wallet, hnfanknocfeofbddgcijnmhnfnkdnaad\r\nBinance Wallet, fhbohimaelbohpjbbldcngcnapndodjp\r\nUnknown, mnojpmjdmbbfmejpflffifhffcmidifd\r\nGuarda, hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nEQUA Wallet, blnieiiffboillknjnepogjhkgnoapac\r\nJaxx Liberty, cjelfplplebdjjenllpjcblmjkfcffne\r\nBitApp Wallet, fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\niWallet, kncchdigobghenbbaddojjnnaogfppfj\r\nWombat, amkmjjmmflddogmhpjloimipbofnfjih\r\nhttps://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nPage 6 of 8\n\nOxygen, fhilaheimglignddkjgofkcbgekhenbh\r\nMew CX, nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nGuildWallet, nanjmdknhkinifnkgdcggcfnhdaammmj\r\nSaturn Wallet, nkddgncdjgjfcddamfgcmfnlhccnimig\r\nTerra Station, aiifbnbfobpmeekipheeijimdpnlpgpp\r\nHarmony, fnnegphlobjdpkhecapkijjdkgcjhkib\r\nCoin98, aeachknmefphepccionboohckonoeemg\r\nEver Wallet, cgeeodpfagjceefieflmdfphplkenlfk\r\nKardiaChain Wallet, pdadjkfkgcafgbceimcpbkalnfnepbnk\r\nExfiltration to C2 \u0026 Exiting\r\nTo send the stolen information to the actor, the malware will make use of HTTP POST requests to a C2. These\r\nC2s are usually short domains on the .top TLD. The malware will begin by creating a zip of the exfil directory\r\nwith a random filename in the %temp% directory. These zips have a password of\r\n\"ZtuLN8Gg5KCmc6oB6MeEzQ\".\r\nFigure 5: Sending zip to the C2\r\nhttps://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nPage 7 of 8\n\nOnce the malware has created the zip, it will then call the function to exfil to the C2. Within this function it begins\r\nby manually creating a form POST body with the zip within it. Once the body of the POST has been created the\r\nmalware will set the headers of the request which are used by the C2 to verify that an incoming POST was made\r\nby the malware. The C2 domain is kept in the binary in cleartext. Now that the majority of the request has been\r\ncreated the malware will call HttpOpenRequestW to the C2 with a path of \"index.php\" and then send the request.\r\nIf the request was successful then the malware will return, if not then the malware will call the exfil function\r\nagain.\r\nNow that the stolen information has been sent to the C2 the malware will clean up by deleting itself from the disk.\r\nTo accomplish this it will create the following command.\r\n/c rd /s /q %Temp%\\\\exfil_directory \u0026 timeout 4 \u0026 del /f /q \\malware_directory\r\nThe malware calls ShellExecuteW to execute the above command with cmd. This command will delete the exfil\r\ndirectory and its contents then sleep for 4 seconds which is used for the malware to exit. After the sleep is done it\r\nwill delete the malware.\r\nConclusion\r\nCryptBot is a capable but simple piece of malware that gets the job done. I hope that this blog post has shone a\r\nlight on the malware, as well as how it functions. The C2s used in the malware are constantly updated. I believe\r\nthat they are proxies to the real malware C2 which is hosted on a FastFlux network to hide the real location of\r\nitself. A huge thank you to Steved3 for editing this post. Thank you for reading and see you in the next blog post!\r\nIOCS:\r\n24336a3c69f863981df13cc9c2cc8fe002d642962fc1d12c87062a8e5d273889\r\nbridmz52.top\r\nSource: https://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nhttps://fr3d.hk/blog/cryptbot-too-good-to-be-true\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://fr3d.hk/blog/cryptbot-too-good-to-be-true" ], "report_names": [ "cryptbot-too-good-to-be-true" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434387, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03afe5da7785b2661c403086f261230ea67a4d0d.pdf", "text": "https://archive.orkl.eu/03afe5da7785b2661c403086f261230ea67a4d0d.txt", "img": "https://archive.orkl.eu/03afe5da7785b2661c403086f261230ea67a4d0d.jpg" } }