{
	"id": "e310481f-89aa-4a43-8d0e-10d9c34400d4",
	"created_at": "2026-04-06T01:32:18.178925Z",
	"updated_at": "2026-04-10T03:21:26.807346Z",
	"deleted_at": null,
	"sha1_hash": "fa9b11fe0e2479f5c113800bc93cf70911822e75",
	"title": "CryptBot Infostealer: Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3310327,
	"plain_text": "CryptBot Infostealer: Malware Analysis\r\nBy khr0x\r\nPublished: 2023-01-26 · Archived: 2026-04-06 00:24:11 UTC\r\nWe recently analyzed CryptBot, an infostealer detected by the ANY.RUN online malware sandbox. \r\nThrough our research, we collected information about MITRE ATT\u0026CK techniques used by this malware. We\r\nalso learned about how this infostealer stores and encrypts its configuration information, and we wrote a Python\r\nscript to extract the configuration. \r\nLet’s go over the whole process step-by-step.\r\nBrief description of CryptBot malware \r\nCryptBot is an infostealer targeting Windows operation systems that was first discovered in the wild in 2019. It is\r\ndesigned to steal sensitive information from infected computers, such as credentials for browsers, cryptocurrency\r\nwallets, browser cookies, credit card information, and screenshots of the infected system. It is distributed through\r\nphishing emails and cracked software.\r\nCryptBot malware\r\nCryptBot dynamic analysis in a malware sandbox\r\nDuring the analysis we’ll take a look at the sample:\r\nA single process (Fig. 1) is created when the malware starts, which actively uses the file system (15k+ events) and\r\nthe registry (2k+ events).\r\nFig. 1 — CryptBot’s process \r\nOk, now that we got the basics out of the way, let’s break down this malware and list all of the techniques it uses.\r\nWe’ll break sort the information by technique as we go from here.   \r\nCredentials from password stores: credentials from web browsers (T1555.003)\r\nCryptBot steals information from popular browsers — Chrome, Firefox, and Edge, as the “Actions looks like\r\nstealing of personal data” indicator (Fig. 2) and “Reads browser cookies” indicators tell us:\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 1 of 14\n\nFig. 2 — CryptBot steals Firefox data\r\nTo detect access to personal data stored in the browser, we can use the pseudo-signature:\r\nprocess_name NOT (“chrome.exe”, ”firefox.exe”, “msedge.exe”, “opera.exe”)\r\nAND\r\nfile_access (\r\n%LOCALAPPDATA%\\\\MICROSOFT\\\\EDGE\\\\USER DATA\\\\*,\r\n%APPDATA%\\\\Roaming\\\\Mozilla\\\\Firefox\\\\*,\r\n%LOCALAPPDATA%\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\*\r\n%LOCALAPPDATA%\\\\AppData\\\\Local\\\\Opera Software\\\\Opera Stable\\*\r\n)\r\nSoftware discovery (T1518)\r\nCryptBot checks the presence of installed software in the system by going through the “Uninstall” registry tree\r\n(Fig. 3):\r\nFig. 3 — CryptBot searches for installed software\r\nTo detect an attempt to access the list of installed software, we can use a pseudo-signature:\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 2 of 14\n\nreg_key is (“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall”)\r\nAND\r\noperation read\r\nSystem information discovery (T1082)\r\nThe malware collects system information, including operating system installation date, computer name, key, CPU\r\ninformation, and this behavior triggers the corresponding indicators (Fig. 4):\r\nFig. 4 — CryptBot collects system information\r\nIt is possible to detect the collection of system configuration information by accessing certain registry keys. For\r\nexample, reading the system installation date can be detected by the following pseudo-signature:\r\nreg_key is (“HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION”)\r\nAND\r\nreg_name is (“INSTALLDATE”)\r\nAND\r\noperation read\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 3 of 14\n\nApplication layer protocol: web protocols (T1071.001)\r\nCryptBot sends the collected OS information and personal data to the control server, which we can see in multiple\r\nconnection attempts (see Figure 5):\r\nFig. 5 — CryptBot attempts to send data to the control server\r\nWe can detect attempts to connect to the C2 server with the following pseudo-signature:\r\nnetwork connect\r\nAND\r\n(\r\ndomains are (“sginiv12[.]top” or “bytcox01[.]top”)\r\nOR (ip == “23[.]217.138.108” and port==80)\r\n)\r\nAdditionally, we investigated the content of the network stream and detected that the data is sent through the\r\nHTTP protocol, using a POST request with an attached file (see Fig. 6). Having restarted the malware several\r\ntimes we found that the file name is most likely randomly generated. However, the request is always sent to the\r\n“gate.php” page.\r\nFig. 6 — Malware sends information to the control server\r\nPotentially malicious traffic is also detected in the results of the Suricata (see Fig. 7):\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 4 of 14\n\nFig. 7 — Potentially malicious traffic detected by the Suricata rules\r\nLet’s create a pseudo-signature to detect CryptBot in the traffic:\r\nnetwork send\r\nAND\r\nhttp_verb is “POST” AND location is “gate.php”\r\nAND\r\nhttp_content includes (“form-data”, “name=\\”files[]\\””, “filename”)\r\nAnalyzing the contents of the transmitted file gives nothing of interest, since it is probably encrypted.\r\nData staged: local data staging (T1074.001)\r\n1. Preventing re-runs\r\nWhen we launch the malware for the first time in the “%APPDATA%” directory an empty directory-marker\r\n“0D445946B53E9551” is created (Figure 8). This directory allows the Malicious software to determine whether it\r\nhas been launched before. If the CryptBot is restarted, it will stop working immediately.\r\nMarker-directory 0D445946B53E9551\r\nFig. 8 — Marker-directory 0D445946B53E9551\r\nLet’s make a pseudo-signature to detect the creation of the marker directory:\r\naction create_directory\r\nAND\r\ndirectory_name is (“^%APPDATA%\\\\[A-F0-9]{16}$”)\r\n2. Storing collected data\r\nCollected information is stored in temporary files in various formats (sqlite, binary, text) in the %TEMP%\r\ndirectory (Fig. 9):\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 5 of 14\n\nFig. 9 — Temporary files in the %TEMP% directory\r\nFor example, in Fig. 10 we see the content of one of the created temporary files, where information about the\r\nstolen logins and passwords is stored in Base64 format. Note that the data also includes a website to which each\r\nlogin-password pair corresponds:\r\nFig. 10 — The contents of the files with the collected information\r\nTo detect the creation of temporary files with personal data, we can, for example, apply the following pseudo-signature:\r\nprocess_name NOT (“chrome.exe”)\r\nAND\r\nfile_create (“%TEMP\\\\*.tmp”)\r\nAND\r\nfile_content includes (\r\n*username*,\r\n*password*\r\n)\r\nIndicator removal: file deletion (T1070.004)\r\nWhen the malware is done running, it removes itself using CMD.EXE with a short delay to give the process time\r\nto finish and unblock the executable file (Fig. 11):\r\nFig. 11 — The malware self-deletes\r\nWe can use the following pseudo-signature in the command line for detection: \r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 6 of 14\n\nprocess_name is (“cmd.exe”)\r\nAND\r\ncommand_line includes (“timeout”, “del”)\r\nCryptBot dynamic analysis using a debugger\r\nStatic packer check\r\nIn general, it’s a best practice to check the file statically to figure out its type and if there’s a packer present, before\r\nconducting the dynamic analysis. Once we do that with the DiE tool shows that the file is not packed (see fig.12):\r\nFig. 12 — Checking the malware file statically to detect a packer\r\nIn this case, even though we didn’t find a packer during our static analysis, the dynamic analysis revealed that the\r\nmalware uses a T1027.002 – software packing technique. \r\nObfuscated files or information: software packing (T1027.002)\r\nBy analyzing the memory of a running process using Process Hacker, we stumble upon an RWX region that is not\r\nnormally found in legitimate programs. The beginning of the dump of this region allows you to see the header of\r\nthe PE file (see Fig. 13):\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 7 of 14\n\nFig. 13 — CryptBot’s memory dump of a running process\r\nOn further analysis we discovered that the header of the PE file is also the beginning of the shellcode (see Fig.\r\n14), which recovers the register value, gets the ImageBase and passes control to the EntryPoint:\r\nFigure 14 — Disassembling the PE header\r\nUsing the x64dbg debugger we have determined that the executable memory region is allocated by the unpacker\r\nusing the WinAPI’s VirtualAlloc function. Next, the unpacker writes payload to it and decrypts it with an XOR\r\noperation (see Figure 15):\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 8 of 14\n\nFig. 15 — Decrypting payload using XOR\r\nThe key to decrypt the payload is in the “.rdata” section of the running executable:\r\nFig. 16 — Key to decrypt the payload\r\nThus, we can see that despite the absence of features of the payload in the static analysis, using the dynamic one\r\nwe have identified the presence of a packer and determined the key and the encryption algorithm.\r\nWriting YARA rules to detect CryptBot shellcode in memory\r\nA YARA rule for detecting a CryptBot shellcode in OS memory could look like this:\r\nrule CryptBot_ShellCode\r\n{\r\nmeta:\r\n author = \"Any.Run\"\r\n SHA256 = \"183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac\"\r\n date = \"2023-01-19\"\r\n description = \"Detect CryptBot shellcode in memory\"\r\nstrings:\r\n $shellcode = { 4D 5A 45 52 E8 00 00 00 00 58 83 E8 09 50 05 [4] FF D0 C3 }\r\ncondition:\r\n uint16(0) != 0x5A4D and\r\n uint16(0) \u003e 0 and\r\n $shellcode in (0x20..0x50)\r\n}\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 9 of 14\n\nStatic analysis and configuration decoding\r\nFinding and deciphering the configuration\r\nThe static analysis of the payload code led us to the conclusion that the malware configuration is located in the\r\n“.data” section and encrypted with an XOR operation. Moreover, the decryption key lies in plaintext just before\r\nthe encrypted data (see Figure 17):\r\nFig. 17 — Key and encrypted configuration\r\nThe configuration is easily decrypted using CyberChef and the key “PU7GX2MZtl” (see Fig. 18):\r\nFigure 18 — CryptBot decrypted configuration\r\nFrom the decrypted configuration it becomes clear what information should be stolen by CryptBot. For example,\r\nthe screenshot variable tells the malware to take a screenshot, and ChromeExt — to steal data from Chrome\r\nextensions.\r\nAutomating configuration decryption\r\nWe have automated the CryptBot configuration extraction in Python and made the script public. You can always\r\nfind it in our Git repo. The result of the unpacked payload script is shown in Fig. 19:\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 10 of 14\n\nFig. 19 — The result of the configuration extraction script\r\nDeveloping YARA Rules for detecting CryptBot configuration in memory\r\nSome strings of the decrypted CryptBot configuration can be used as part of a YARA rule to detect it in memory:\r\nrule CryptBot_Config {\r\nmeta:\r\n author = \"Any.Run\"\r\n SHA256 = \"183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac\"\r\n date = \"2022-01-19\"\r\n description = \"Detect CryptBot configuration in memory\"\r\nstrings:\r\n $s1 = \"CookiesEdge\"\r\n $s2 = \"ChromeDB\u003c\u003e_\u003c\u003e\"\r\n $s3 = \"EdgeDB\u003c\u003e_\u003c\u003e\"\r\n $s4 = \"ChromeExt\u003c\u003e_\u003c\u003e\"\r\n $s5 = \"HistoryChrome\u003c\u003e_\u003c\u003e\"\r\n $s6 = \"EdgeExt\u003c\u003e_\u003c\u003e\"\r\n $s7 = \"CookiesFirefox\u003c\u003e_\u003c\u003e\"\r\n $s8 = \"HistoryOpera\u003c\u003e_\u003c\u003e\"\r\n $s9 = \"CookiesOpera\u003c\u003e_\u003c\u003e\"\r\n $s10 = \"FirefoxDB\u003c\u003e_\u003c\u003e\"\r\n $s11 = \"CookiesChrome\u003c\u003e_\u003c\u003e\"\r\n $s12 = \"HistoryFirefox\u003c\u003e_\u003c\u003e\"\r\n $s13 = \"HistoryEdge\u003c\u003e_\u003c\u003e\"\r\n $s14 = \"DesktopFolder\u003c\u003e_\u003c\u003e\"\r\n $s15 = \"ChromeDBFolder\u003c\u003e_\u003c\u003e\"\r\n $s16 = \"ExternalDownload\u003c\u003e_\u003c\u003e\"\r\n $s17 = \"ScreenFile\u003c\u003e_\u003c\u003e\"\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 11 of 14\n\n$s18 = \"MessageAfterEnd\u003c\u003e_\u003c\u003e\"\r\n $s19 = \"HistoryFile\u003c\u003e_\u003c\u003e\"\r\n $s20 = \"FirefoxDBFolder\u003c\u003e_\u003c\u003e\"\r\n $s21 = \"PasswordFile\u003c\u003e_\u003c\u003e\"\r\n $s22 = \"WalletFolder\u003c\u003e_\u003c\u003e\"\r\n $s23 = \"DeleteAfterEnd\u003c\u003e_\u003c\u003e\"\r\n $s24 = \"EdgeDBFolder\u003c\u003e_\u003c\u003e\"\r\n $s25 = \"InfoFile\u003c\u003e_\u003c\u003e\"\r\n $s26 = \"CookiesFile\u003c\u003e\"\r\ncondition:\r\n 7 of them\r\n}\r\nUsing ANY.RUN to efficiently analyze CryptBot\r\nFor your convenience, we have integrated automatic extraction of the CryptBot configuration into ANY.RUN\r\ninteractive sandbox — just run the sample and get all the IOCs in seconds (Fig. 20):\r\nFig. 20 – Automatic CryptBot configuration extraction in ANY.RUN sandbox\r\nConclusion\r\nIn this article, we looked into CryptBoT, its techniques and behavior when contained in the ANY.RUN sandbox.\r\nWe also wrote a configuration extractor that you can use to gather and interpret the data. \r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 12 of 14\n\nFortunately, ANY.RUN is already set up to detect this malware automatically, making the relevant configuration\r\ndetails just a click away.\r\nIf you want to read more content like this, check out our analysis of the Raccoon Stealer, or Orcus RAT.\r\nAppendix\r\nAnalyzed files\r\nTitle Description\r\nName 12d20a973f8cd9c6373929ae14efe123.exe\r\nMD5 12d20a973f8cd9c6373929ae14efe123\r\nSHA1 7f277f5f8f9c2831d40a2dc415566a089a820151\r\nSHA256 183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac\r\nExtracted URLs\r\nhttp://sginiv12[.]top/gate.php\r\nhttp://bytcox01[.]top/gesell.dat\r\nMITRE (ARMATTACK)\r\nTactics Techniques Description\r\nTA0005:\r\ndefence evasion\r\nT1070.004:\r\nIndicator Removal:\r\nFile Deletion \r\nSelf-deleting\r\nafter completion\r\nT1027.002:\r\nObfuscated Files\r\nor Information:\r\nSoftware Packing\r\nMalware is decrypted\r\ninto memory before\r\nit starts working\r\nTA0006:\r\nCredential access\r\nT1555.003:\r\nCredentials from\r\nWeb Browsers\r\nSteals data from\r\ninstalled browsers\r\nTA0007:\r\nSoftware discovery\r\nT1518:\r\nSoftware Discovery\r\nSearches for installed software\r\nin the system\r\nin the “Uninstall” key\r\nT1082:\r\nSystem Information\r\nCollects system data\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 13 of 14\n\nDiscovery\r\nTA0009:\r\nCollection\r\nT1113:\r\nScreen capture\r\nHas an option to take\r\na configuration screenshot\r\nT1074:\r\nData Staged\r\nSaving of gathered data\r\nin a temporary directory\r\nbefore sending;\r\nprevention of relaunch\r\nTA0011:\r\nCommand and Control\r\nT1071:\r\nApplication Layer\r\nProtocol\r\nSending collected data\r\nto the control server\r\nANY.RUN malware analyst\r\nkhr0x\r\nI'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got\r\non my computer. In my spare time I do sports and play video games.\r\nkhr0x\r\nkhr0x\r\nMalware analyst at ANY.RUN\r\nI'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got\r\non my computer. In my spare time I do sports and play video games.\r\nSource: https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nhttps://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/"
	],
	"report_names": [
		"cryptbot-infostealer-malware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775439138,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa9b11fe0e2479f5c113800bc93cf70911822e75.pdf",
		"text": "https://archive.orkl.eu/fa9b11fe0e2479f5c113800bc93cf70911822e75.txt",
		"img": "https://archive.orkl.eu/fa9b11fe0e2479f5c113800bc93cf70911822e75.jpg"
	}
}