{
	"id": "a43310a7-6612-408e-b7c5-604489c71270",
	"created_at": "2026-04-06T00:17:30.074094Z",
	"updated_at": "2026-04-10T03:21:36.092581Z",
	"deleted_at": null,
	"sha1_hash": "e6d9921c917073a0341f3fe052ec8ee87ae024fd",
	"title": "Modified CryptBot Infostealer Being Distributed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1982942,
	"plain_text": "Modified CryptBot Infostealer Being Distributed\r\nBy ATCP\r\nPublished: 2022-02-09 · Archived: 2026-04-05 22:27:22 UTC\r\nCryptBot is an infostealer that is usually distributed under the disguise of web pages that share cracks and tools.\r\nThe distribution pages are exposed at the top of the search result page of search engines such as Google, so the\r\nrisk of infection is high, and the number of relevant detection cases is also relatively high. The ASEC analysis\r\nteam had thus advised users on these relevant threats in the previous blog posts.\r\nCryptBot Infostealer Constantly Changing and Being Distributed\r\nCryptBot Info-stealer Malware Being Distributed in Different Forms\r\nCryptBot is one of the most actively-changing malware with its distribution pages constantly being newly-created.\r\nThis blog will explain the details of the recently modified version of the CryptBot that is currently being\r\ndistributed.\r\nWhen the user clicks the download button in a post disguised as a cracks and tools sharing website created by the\r\nattacker, the user is redirected multiple times, ultimately redirected to the distribution page, and new types of such\r\nredirections are constantly being created. The figure below shows relatively newly-created distribution pages.\r\nhttps://asec.ahnlab.com/en/31802/\r\nPage 1 of 5\n\nFigure 1. Examples of web pages distributing malware\r\nNot only are the distribution pages changing, but the CryptBot itself is also actively changing, and a new version\r\nwith a large-scale modification is recently being distributed. Compared to the previous version, a few of the\r\nadditional features were deleted for simplification, and the infostealing code was modified to adapt to the new\r\nbrowser environment.\r\nFirst, a few of the distinctive features of the CryptBot were deleted. The anti-sandbox routine, which terminates\r\nwithout malicious behavior in the case of ‘Xeon’ environment after checking the CPU name set as the infection\r\ntarget, was removed. The anti-VM routine that checks the number of CPU cores and memory remains the same.\r\nThe behavior that saves the stolen information to two different folders and sends each folder to different C2 was\r\nalso deleted. This means that in the previous version, there were two infostealing C2s and one C2 for downloading\r\nadditional malware, but in the currently distributed version, there is only one infostealing C2.\r\nFigure 2. Comparing C2 transmission of previous CryptBot (top) and modified CryptBot (bottom)\r\nThe code shows that when sending files, the method of manually adding the sent file data to the header was\r\nchanged to the method that uses simple API. user-agent value when sending was also modified. The previous\r\nversion calls the function twice to send each to a different C2, but in the changed version, one C2 URL is hard-coded in the function.\r\nhttps://asec.ahnlab.com/en/31802/\r\nPage 2 of 5\n\nFigure 3. Comparing the C2 transmission code of the previous CryptBot (top) and the modified CryptBot (bottom)\r\nThe infostealing features of collecting TXT files on the desktop and screenshots of the screen were also deleted.\r\nThe behavior of self-deletion that was performed when it was detected by an anti-VM routine or when it\r\ncompleted all malicious behavior and was terminated was also deleted.\r\nFigure 4. Comparing the main routine function of the previous CryptBot (left) and the modified CryptBot (right)\r\nNot only were the features deleted, but there were also feature improvement patches. The previous version of\r\nCryptBot used the pathname of the old version of Chrome when stealing Chrome browser information, so it could\r\nnot steal information from Chrome v96 released in November 2021 and its later versions. The recently modified\r\nsample includes all the newest Chrome path names.\r\nThe previous version of CryptBot code was structured in a way that if at least one piece of data did not exist out of\r\nthe list of target data for stealing, the infostealing behavior would fail. So, infostealing was successful only when\r\nthe infected system used Chrome browser v81 – v95. The recently improved code can steal if the target data exists\r\nregardless of the version.\r\nhttps://asec.ahnlab.com/en/31802/\r\nPage 3 of 5\n\nFigure 5. Comparing the pathname of the target information for stealing of the previous CryptBot (left) and the\r\nmodified CryptBot (right)\r\nThe creator had thus applied a feature improvement patch for the malicious behavior and also removed many\r\nunnecessary features. As CryptBot’s packing method, internal codes, C2, etc. actively change, and as its\r\ndistribution pages are easily exposed, user caution is advised.\r\nThe following is the IOC information of CryptBot that has been distributed over the past week.\r\nMD5\r\n0169a24e049b4a8737256f06a7b666d2\r\n0ceba86a7ab680d71f3dc99bbbec3368\r\n1db0cc5e74198d5c09237795279efb28\r\n26f659c0b4125fcaec364fdcbdece018\r\n28e1397f9233badf815e22ef2e13634f\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//gewfec07[.]top/download[.]php?file=insane[.]exe\r\nhttp[:]//gewfih05[.]top/download[.]php?file=fusate[.]exe\r\nhttp[:]//gewtuq10[.]top/download[.]php?file=swaths[.]exe\r\nhttp[:]//gewuib08[.]top/download[.]php?file=scrods[.]exe\r\nhttp[:]//jugfwr33[.]top/index[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/31802/\r\nPage 4 of 5\n\nSource: https://asec.ahnlab.com/en/31802/\r\nhttps://asec.ahnlab.com/en/31802/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/31802/"
	],
	"report_names": [
		"31802"
	],
	"threat_actors": [],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6d9921c917073a0341f3fe052ec8ee87ae024fd.pdf",
		"text": "https://archive.orkl.eu/e6d9921c917073a0341f3fe052ec8ee87ae024fd.txt",
		"img": "https://archive.orkl.eu/e6d9921c917073a0341f3fe052ec8ee87ae024fd.jpg"
	}
}