Modified CryptBot Infostealer Being Distributed
By ATCP
Published: 2022-02-09 · Archived: 2026-04-05 22:27:22 UTC
CryptBot is an infostealer that is usually distributed under the disguise of web pages that share cracks and tools.
The distribution pages are exposed at the top of the search result page of search engines such as Google, so the
risk of infection is high, and the number of relevant detection cases is also relatively high. The ASEC analysis
team had thus advised users on these relevant threats in the previous blog posts.
CryptBot Infostealer Constantly Changing and Being Distributed
CryptBot Info-stealer Malware Being Distributed in Different Forms
CryptBot is one of the most actively-changing malware with its distribution pages constantly being newly-created.
This blog will explain the details of the recently modified version of the CryptBot that is currently being
distributed.
When the user clicks the download button in a post disguised as a cracks and tools sharing website created by the
attacker, the user is redirected multiple times, ultimately redirected to the distribution page, and new types of such
redirections are constantly being created. The figure below shows relatively newly-created distribution pages.
https://asec.ahnlab.com/en/31802/
Page 1 of 5

Figure 1. Examples of web pages distributing malware
Not only are the distribution pages changing, but the CryptBot itself is also actively changing, and a new version
with a large-scale modification is recently being distributed. Compared to the previous version, a few of the
additional features were deleted for simplification, and the infostealing code was modified to adapt to the new
browser environment.
First, a few of the distinctive features of the CryptBot were deleted. The anti-sandbox routine, which terminates
without malicious behavior in the case of ‘Xeon’ environment after checking the CPU name set as the infection
target, was removed. The anti-VM routine that checks the number of CPU cores and memory remains the same.
The behavior that saves the stolen information to two different folders and sends each folder to different C2 was
also deleted. This means that in the previous version, there were two infostealing C2s and one C2 for downloading
additional malware, but in the currently distributed version, there is only one infostealing C2.
Figure 2. Comparing C2 transmission of previous CryptBot (top) and modified CryptBot (bottom)
The code shows that when sending files, the method of manually adding the sent file data to the header was
changed to the method that uses simple API. user-agent value when sending was also modified. The previous
version calls the function twice to send each to a different C2, but in the changed version, one C2 URL is hard-coded in the function.
https://asec.ahnlab.com/en/31802/
Page 2 of 5

Figure 3. Comparing the C2 transmission code of the previous CryptBot (top) and the modified CryptBot (bottom)
The infostealing features of collecting TXT files on the desktop and screenshots of the screen were also deleted.
The behavior of self-deletion that was performed when it was detected by an anti-VM routine or when it
completed all malicious behavior and was terminated was also deleted.
Figure 4. Comparing the main routine function of the previous CryptBot (left) and the modified CryptBot (right)
Not only were the features deleted, but there were also feature improvement patches. The previous version of
CryptBot used the pathname of the old version of Chrome when stealing Chrome browser information, so it could
not steal information from Chrome v96 released in November 2021 and its later versions. The recently modified
sample includes all the newest Chrome path names.
The previous version of CryptBot code was structured in a way that if at least one piece of data did not exist out of
the list of target data for stealing, the infostealing behavior would fail. So, infostealing was successful only when
the infected system used Chrome browser v81 – v95. The recently improved code can steal if the target data exists
regardless of the version.
https://asec.ahnlab.com/en/31802/
Page 3 of 5

Figure 5. Comparing the pathname of the target information for stealing of the previous CryptBot (left) and the
modified CryptBot (right)
The creator had thus applied a feature improvement patch for the malicious behavior and also removed many
unnecessary features. As CryptBot’s packing method, internal codes, C2, etc. actively change, and as its
distribution pages are easily exposed, user caution is advised.
The following is the IOC information of CryptBot that has been distributed over the past week.
MD5
0169a24e049b4a8737256f06a7b666d2
0ceba86a7ab680d71f3dc99bbbec3368
1db0cc5e74198d5c09237795279efb28
26f659c0b4125fcaec364fdcbdece018
28e1397f9233badf815e22ef2e13634f
Additional IOCs are available on AhnLab TIP.
URL
http[:]//gewfec07[.]top/download[.]php?file=insane[.]exe
http[:]//gewfih05[.]top/download[.]php?file=fusate[.]exe
http[:]//gewtuq10[.]top/download[.]php?file=swaths[.]exe
http[:]//gewuib08[.]top/download[.]php?file=scrods[.]exe
http[:]//jugfwr33[.]top/index[.]php
Additional IOCs are available on AhnLab TIP.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click
the banner below.
https://asec.ahnlab.com/en/31802/
Page 4 of 5

Source: https://asec.ahnlab.com/en/31802/
https://asec.ahnlab.com/en/31802/
Page 5 of 5