{
	"id": "3a31f15a-86d8-4b49-baf8-377c7552de42",
	"created_at": "2026-04-06T00:06:31.218096Z",
	"updated_at": "2026-04-10T03:20:45.978264Z",
	"deleted_at": null,
	"sha1_hash": "80c4bec5cb8ed9ae4b657ff0a4c17c0f6aadf1b0",
	"title": "CryptBot Info-stealer Malware Being Distributed in Different Forms - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1633002,
	"plain_text": "CryptBot Info-stealer Malware Being Distributed in Different\r\nForms - ASEC\r\nBy ATCP\r\nPublished: 2021-06-07 · Archived: 2026-04-05 12:47:34 UTC\r\nCryptBot is an info-stealer malware distributed through malicious sites disguised as utility program downloading\r\npages. When searching keywords such as names of certain programs, cracks, and serial numbers, the related\r\ndistribution sites are exposed at the top of the search results page. Upon connecting to the page and clicking the\r\ndownload button, the user is redirected to the CryptBot malware downloading page.\r\nNumerous malicious sites were created using various keywords. When searching the most popular software\r\nkeywords, many malicious sites appear on the top page, and a large number of related files are also detected. If the\r\nwebsites below appear when surfing the web, never download or run the files from those websites.\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 1 of 13\n\nhttps://asec.ahnlab.com/en/24423/\r\nPage 2 of 13\n\nhttps://asec.ahnlab.com/en/24423/\r\nPage 3 of 13\n\nFigure 1. Malicious sites created with various keywords\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 4 of 13\n\nhttps://asec.ahnlab.com/en/24423/\r\nPage 5 of 13\n\nhttps://asec.ahnlab.com/en/24423/\r\nPage 6 of 13\n\nFigure 2. Redirected file download pages\r\nThe file downloaded from the distribution website is a ZIP compressed file. Inside the file is another ZIP file that\r\ncontains encrypted malware and a text file with a password. Because the name of the ZIP file consists of keywords\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 7 of 13\n\nthat the user has searched, the user may think of it as a normal program. The text file contains ASCII Art and a\r\npassword for decompression.\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 8 of 13\n\nFigure 3. Decompression password and ASCII Art inside txt file\r\nThe filename of the ZIP file is the same as the keyword that users have searched, but the actual malware\r\nexecutable file has the filename disguised as an installer as examples below.\r\nsetup_x86_x64_install.exe\r\nMainsetupv1.0.exe\r\nnewfullserup.exe\r\nSetup.exe\r\nx32_x64_mainsetup.exe\r\nmain-setupfile.exe\r\nThis malware was previously distributed in 7z SFX form, but recently, it was found to be distributed in a\r\ncompletely different form. AhnLab deemed the packing format ‘MalPE’ and has been responding to it. Various\r\nmalware strains such as Glupteba, Raccoon Stealer, and Nemty Ransomware have been packed and distributed in\r\nthis format. It is a packing method that is still being actively used.\r\nFigure 4. Comparing property information of each packet method (Left: 7z SFX and Right: MalPE)\r\nThe MalPE packed sample has a random name resource item where random strings exist and String Table resource\r\nas seen below. It appear that this is to bypass anti-malware detection by being randomly changed upon every\r\ndistribution.\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 9 of 13\n\nFigure 5. MalPE sample resource information\r\nUpon execution, the packer runs the data with ‘shellcode + PE binary’ structure in the area of virtual memory\r\nallocation after decoding and copying it. Then, the shellcode runs PE binary via process hollowing technique.\r\nMost malware strains use a similar method to hide the actual internal malicious data.\r\nFigure 6. Shellcode inside MalPE packer\r\nFigure 7. PE binary inside MalPE packer\r\nCryptBot malware steals infected PC’s information as well as various user information and sends them to the\r\nserver. It also downloads and installs additional malware. The malware that is additionally downloaded is usually\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 10 of 13\n\nClipBanker, but there have also been cases of other types of malware being distributed such as Formbook and\r\nSmokeLoader.\r\nFigure 8. Sending information to C2 and downloading additional malware\r\nFigure 9. User information sent to C2\r\nCurrently, the additionally downloaded malware uses the same 7z SFX method packing used by the previous\r\nCryptBot. The malware runs ClipBanker and another 7z SFX file after dropping both of them. The 7z SFX file\r\nsimply connects to a specific C2 and deletes itself. Such activity is thought to confirm the number and IPs of the\r\ninfected PCs. The packing analysis information from 7z SFX to AutoIt is explained in detail in a previous blog\r\npost.\r\nFigure 10. Sending IP information\r\nThe picture below is a summarization of a general CryptBot-related infection flow. Additionally downloaded\r\nsamples can be changed anytime if the attacker wishes to.\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 11 of 13\n\nFigure 11. Malware infection flow\r\nThe attacker seems to be distributing malware after packing them in various forms to bypass anti-malware\r\ndetection. There is a possibility that the attacker may use other packing methods to distribute malware in the\r\nfuture. The ASEC team is closely monitoring the relevant attack processes and is quickly responding every time a\r\nchange occurs. Users must download software from the official distribution channels, and not use illegal programs\r\nsuch as crack.\r\nAhnLab’s anti-malware solution, V3, detects and blocks MalPE and 7z SFX form of CryptBot malware using the\r\nGeneric aliases below.\r\n[Alias]\r\nMalPE form\r\nWin-Trojan/MalPeP.mexp\r\nTrojan/Win.MalPE.R424458\r\n7z SFX form\r\nTrojan/BAT.CryptLoader.S1531\r\nExecution/MDP.Scripting.M3728\r\nMD5\r\n1dd7d594dc2c9a017ec5e11602ebc37e\r\n3d1e5706bdb597866e264e523a235905\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 12 of 13\n\nhttp[:]//morzcm07[.]top/index[.]php\r\nhttp[:]//nimjso71[.]top/index[.]php\r\nhttp[:]//nimyol77[.]top/index[.]php\r\nhttp[:]//noirki10[.]top/downfiles/lv[.]exe\r\nhttp[:]//noirki10[.]top/download[.]php?file=lv[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/24423/\r\nhttps://asec.ahnlab.com/en/24423/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/24423/"
	],
	"report_names": [
		"24423"
	],
	"threat_actors": [],
	"ts_created_at": 1775433991,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80c4bec5cb8ed9ae4b657ff0a4c17c0f6aadf1b0.pdf",
		"text": "https://archive.orkl.eu/80c4bec5cb8ed9ae4b657ff0a4c17c0f6aadf1b0.txt",
		"img": "https://archive.orkl.eu/80c4bec5cb8ed9ae4b657ff0a4c17c0f6aadf1b0.jpg"
	}
}