{
	"id": "80bdfbcc-fb4b-4ffc-9985-546135e7e6f6",
	"created_at": "2026-04-06T00:20:15.726161Z",
	"updated_at": "2026-04-10T03:21:20.351235Z",
	"deleted_at": null,
	"sha1_hash": "307c2b11c52f88cb25c7e6a7d471e7c6754ed8f4",
	"title": "40,000 CryptBot Downloads per Day",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31877,
	"plain_text": "40,000 CryptBot Downloads per Day\r\nBy Karsten Hahn\r\nPublished: 2020-02-27 · Archived: 2026-04-05 15:45:51 UTC\r\nAutoHotkey Downloader\r\nWe found the Bitbucket repository via a malicious AutoHotkey downloader[1]. The AutoHotkey script is located in\r\nthe PE resources with the RCDATA resource type. We used Resource Hacker to access the script (see image\r\nbelow).\r\nThe downloader checks IP and location information of the infected system via http://ip-api.com/line/ and puts the\r\nresult into %TEMP%/ip_.txt. Then it calls two shortened URLs at https://iplogger.org. This URL shortener service\r\nprovides statistics and location tracking for the shortened links. The site's content is downloaded to\r\n%TEMP%/loger.txt and %TEMP%/loger2.txt.\r\nIt proceeds to check the country code in ip_.txt and will download PCBoosterSetup.exe[8] for the following\r\ncountry codes: TR, FR, US, DE, GB, HR, HU, RO, PL, IT, PT, ES, CA, DK, AT, NL, AU, AR, NP, SE, BE, NZ,\r\nSK, SO, GR, BG\r\nSource: https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger\r\nhttps://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger"
	],
	"report_names": [
		"35802-bitbucket-abused-as-malware-slinger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434815,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/307c2b11c52f88cb25c7e6a7d471e7c6754ed8f4.pdf",
		"text": "https://archive.orkl.eu/307c2b11c52f88cb25c7e6a7d471e7c6754ed8f4.txt",
		"img": "https://archive.orkl.eu/307c2b11c52f88cb25c7e6a7d471e7c6754ed8f4.jpg"
	}
}