{
	"id": "7792478e-9e1f-47d0-bbe4-14e1a8a2f1ac",
	"created_at": "2026-04-06T00:08:15.880588Z",
	"updated_at": "2026-04-10T13:11:37.426403Z",
	"deleted_at": null,
	"sha1_hash": "fd32ba9f72c237b0f77e6de38175fbd74064d865",
	"title": "Cryptbot downloader: A deep cryptanalysis - TEHTRIS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 221063,
	"plain_text": "Cryptbot downloader: A deep cryptanalysis - TEHTRIS\r\nBy Pierre-Henri PEZIER\r\nPublished: 2024-11-18 · Archived: 2026-04-05 18:46:14 UTC\r\nCryptbot is an advanced malware tool used in cyber-attacks, primarily targeting credentials, personal data, and\r\ncryptocurrency wallets. It functions as a stealer malware, capturing sensitive information like login credentials, browser\r\ncookies, and cryptocurrency wallet data. Distributed often through cracked software or malicious links, Cryptbot installs\r\nitself on victim devices without detection and begins data exfiltration. The stolen information is then sent to the attacker,\r\npotentially leading to identity theft or financial loss. Cryptbot is known for its rapid updates, making it difficult to detect and\r\ncounter.\r\nAmong the numerous updates related to Cryptbot, its droppers have also evolved rapidly. A new variant featuring enhanced\r\ncryptography was recently released, with its command-and-control (C2) infrastructure remaining active for an extended\r\nperiod.\r\nThe main objectives of this article are to thoroughly understand the obfuscation mechanisms and to develop an automated\r\nexfiltration script.\r\nAttack timeline\r\nBased on the PE compilation timestamps found in each sample’s PE header, the active attack timeline has been mapped out\r\nand visualized in the following heatmap. The attack appears to have been conducted over a one-month span, with activity\r\npeaking approximately one week after the campaign began.\r\nBased on the first submissions to VT (VirusTotal), we constructed a heatmap of the targeted victims. However, it is\r\nimportant to note that the submitter may not always be the actual target, so this data should be interpreted with caution.\r\nRussia appears to be the primary targeted country in this campaign.\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 1 of 33\n\nCode detail\r\nCode detail\r\nThe samples were developed using a compiler with the following flags: -m32 -Wa,--noexecstack -Qunused-arguments -O3\r\n-fPIC --static . These flags indicate 32-bit architecture, a non-executable stack ( --noexecstack ), optimized code\r\ngeneration ( -O3 ), position-independent code ( -fPIC ), and static linking ( --static ).\r\nThe libraries libcurl 8.10.1 and OpenSSL 3.3.2 (3 Sep 2024) have been statically included in the sample. The\r\nobfuscator used to scramble the software’s data flow remains unidentified.\r\nDefense\r\nThe downloader includes defenses against reverse engineering and automated string extraction.\r\nData flow\r\nThe URLs of the C2 servers are stored in plaintext. To hinder automatic extraction, the last 6 to 8 bytes of each URL are\r\nappend to the URL, making the string difficult to extract statically. This mechanism is the only method of data obfuscation\r\nused in the program. A custom script has been developed to reconstruct these URLs, included in the appendices. Due to the\r\ncode’s susceptibility to modifications caused by compiler optimization, an alternative easter egg hunting technique was\r\napplied. This script is provided in the appendices.\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 2 of 33\n\nControl flow\r\nnly the main function, which is responsible for calling the curl API, decrypting, and loading the DLL, has its control flow\r\nobfuscated. As shown in the capture below, the code is obfuscated using an extensive switch-case structure. However, due to\r\nthe code’s relatively small size, it provides only limited resistance to reverse engineering through dynamic analysis.\r\nStealth\r\nThe sample was developed with debugging features enabled. Since it is compiled as a GUI application, adjusting the PE\r\nheader to enable CLI functionality will cause a console window to appear, displaying debug messages.\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 3 of 33\n\nCommand and control\r\nIdentification\r\nThe full list of URLs is provided in the IOC (Indicators of Compromise) chapter. All identified C2 servers use a .top top-level domain (TLD).\r\nNetwork\r\nProtocols\r\nThe downloader retrieves the payload over unencrypted HTTP. Although the payload itself is encrypted, the headers and\r\nURL character set provide enough information to detect it using the Snort rule shown below.\r\nInterestingly, the server provides a filename in the response header that does not match the URL of the GET request. This\r\nfilename is later used to decrypt the payload.\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 4 of 33\n\nCryptography\r\nThe only cryptographic operation in the malware is performed on the data returned by the server. Although the data is\r\ntransmitted over an unencrypted HTTP channel (which is very common with other malware families such as daolpu), the\r\nserver response is encrypted, making it indistinguishable from random data.\r\nThe data returned by the server is AES-CBC encrypted, with the encryption key derived using PBKDF2-SHA1. The\r\naccompanying image illustrates the raw server response, where:\r\nBlue portion: Encrypted ciphertext.\r\nRed portion: PBKDF2-derived Initialization Vector (IV).\r\nGreen portion: AES-CBC Initialization Vector (IV).\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 5 of 33\n\nThe decryption routine in the Downloader has been fully reversed, as shown in the capture below. The process begins with\r\nkey derivation, followed by decryption.\r\nThe key itself is a combination of the “filename” field returned in the HTTP header, the URL, and a string that is contained\r\nin the sample. This key generation process, derived from multiple sources, necessitates the following cleartext secrets to\r\ndecrypt the stage2 payload:\r\nThe ciphered data, obviously.\r\nThe response header from the server.\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 6 of 33\n\nThe sample URL.\r\nA static key suffix embedded within the sample.\r\nThis is a clever technique to make decryption of stage2 payloads impossible with only the network capture. Additionally, the\r\n100,000 PBKDF2 rounds are specifically designed to make brute-forcing the key impractical.\r\nTo calculate the time required to decrypt the payload using only the network capture, we can use a simplified SHA-1\r\ncalculation as a reference. Since PBKDF2 applies 100,000 iterations, the time needed for brute-forcing would be\r\napproximately 100,000 times longer than a simple SHA-1 hash calculation (credit: proxynova.com).\r\nA script has been developed to download the stage2 payload from the sample and gather all the necessary key components to\r\nperform the decryption. The following screenshot provides a preview of the script in action.\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 7 of 33\n\nWhen the sample is deciphered, the DLL is manually loaded, as shown in the screenshot below. Despite the control flow\r\nscrambling, the MZ and PE header magic values are clearly identifiable, confirming the presence of a valid executable file\r\nformat.\r\nThe SHA256 hashes of the Stage2 payloads are included in the IOC (Indicators of Compromise) section. The C2 servers are\r\nfrequently shut down, making them unavailable at the time of writing. Additionally, the DLL is obfuscated, and further\r\nanalysis or reverse engineering of this sample may be included in a future publication.\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 8 of 33\n\nIOC\r\nURLs\r\nhttp://home.eightji8ht.top/KTGbGvOSGlkPaQeuKdDL1572982449\r\nhttp://home.eightjo8sr.top/aCrmSMJLJEOsinOjzktg1889307302\r\nhttp://home.eightjo8vt.top/APWuDeoyrwjlLWFqpzlR1427917304\r\nhttp://home.eightjo8vt.top/GZAiWBsUWZXSjptiVgki1273022183\r\nhttp://home.eightjp8ht.top/FlchnxzGeSIHRPHPeYBm1318897305\r\nhttp://home.eightjp8vs.top/GyoNxLolJLOIDEEeLXwl1239497306\r\nhttp://home.eightjp8vs.top/feCIlgpoToBMdGHZfMGS1673054910\r\nhttp://home.eleja11sb.top/sSWxMfiKsjZhqgwqlqVX1737823123\r\nhttp://home.elevji11ht.top/XmQBHJYvyxRHnDxzxNoj124497298\r\nhttp://home.fiveji5ht.top/KlekgDAXLoeekVhmYBHz1732002979\r\nhttp://home.fiveji5ht.top/daxtYswdSfyAXDsFwHuK1726572986\r\nhttp://home.fiveji5ht.top/sYxNRoYrKJVZJBDMKRQb1729750322\r\nhttp://home.fiveji5vs.top/nGdZCFwukcqnsrEfVnqT1732922995\r\nhttp://home.fiveji5vt.top/NEpdjvSGIHCSlQWulCHt1776642968\r\nhttp://home.fivejo5sr.top/JNzvTWFWHwIXwNBdDJiw1743043030\r\nhttp://home.fivejo5sr.top/bTMlLHJsULflKiuhSKNo1745983026\r\nhttp://home.fivejo5vt.top/WTAjeFpNiEIhCJndAXAf1714163020\r\nhttp://home.fivejo5vt.top/bLeFEuIyIOOFgvRzlwsw1730462437\r\nhttp://home.fivejo5vt.top/jQDBoCTTJMoxHduEQtVi1718333022\r\nhttp://home.fivejo5vt.top/zViguzTHOAJchzMFSLOa1730123672\r\nhttp://home.fivejp5vs.top/WMIfiIbwGZlEzunsPmAm1791043054\r\nhttp://home.fivejp5vs.top/gEHGWhRNbwRFXwunSKCi1794913063\r\nhttp://home.fivjp5vt.top/GpXJRdeQulqmvESjfFlL1730790181\r\nhttp://home.fivjp5vt.top/MzxdLTzahBhrwcHfikEE1730826262\r\nhttp://home.forjh4ht.top/wGcuvRVzmafViJJtVGWe1729706625\r\nhttp://home.forji14vs.top/SRmkbXbtICjnsFSsyIIU1719933008\r\nhttp://home.forji14vs.top/vLzEmBxYDkDWwAHlJbwm1756532992\r\nhttp://home.forjo14vt.top/vZEhEBivXldclXHuMstz1714163020\r\nhttp://home.forpz4ht.top/cQOBChluQKBYyXAKOlUj1729771262\r\nhttp://home.neinja9ht.top/LQEGldMWvlStBQQIEVyV1797523097\r\nhttp://home.neinja9ht.top/xplvzowOfiYMuqANrGoq1730957812\r\nhttp://home.neinjo9vt.top/TCEdaQJXYbawpvRtmzAl1724603017\r\nhttp://home.neinjo9vt.top/fcOoKJiqkEdEfaSKlDpf1730221830\r\nhttp://home.neinjp9sr.top/VQZWuwklsiAqwKSHENhk1730865247\r\nhttp://home.ninjo19vs.top/kbrGrXsSXkmNPHYxWled1730607975\r\nhttp://home.oneji1vt.top/yYwXoctNQsNlxniaRRXW1729687663\r\nhttp://home.onejo1vs.top/VlQbIzlsEdAqLBFZBoYY1734910639\r\nhttp://home.onejo1vs.top/rwucRRJvgOJMYBxNQZTH1731060549\r\nhttp://home.onejo1vt.top/TgyonuAhQqHmRNCTtLXO1730221831\r\nhttp://home.onejo1vt.top/VBkFCJscNZobpQzbgGkx1736750123\r\nhttp://home.onejo1vt.top/pgpVedqwyWTKdnDvLton1739150427\r\nhttp://home.onejp1ht.top/EydgSnlRvnipiEFgnals1733640997\r\nhttp://home.onejp1ht.top/wjfslbMBCTjPKLMdHjMB1739381071\r\nhttp://home.onejp1vt.top/WVWXLEBFUCjXpjDFcYnq1730826262\r\nhttp://home.sevja17sb.top/LMiwiyYekyuSDTCvLbPv1765833112\r\nhttp://home.sevja17sb.top/ZsSuJntZcwEFCFkTKSrm1784413120\r\nhttp://home.sevjoi17ht.top/RZveVhltLlnLSesEiEKb1573051889\r\nhttp://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs1204307303\r\nhttp://home.sevjoi17vt.top/FhmmyqGhAphHaXwiJfvm1273042791\r\nhttp://home.sevjoi17vt.top/cZQSdrLXfSobDdFnqveX1701417302\r\nhttp://home.sevjp17vt.top/UDnaUWBbCguivjcJTAFI1730790183\r\nhttp://home.sevtji17vt.top/AtMFEEDPmrFgjjlYWVjB1487667296\r\nhttp://home.sivji6ht.top/nQOeaKPXEODJmfbxNDgw1726939767\r\nhttp://home.sivjo6vt.top/NkVbPqNMrXCEggsfRWGb1734600172\r\nhttp://home.sivjo6vt.top/RLcrqDvFJmGzdgZTXBGX1734380462\r\nhttp://home.sivjo6vt.top/ltLNFctqJMohaGeCvuMv1738320221\r\nhttp://home.sivjp6ht.top/lBxeEWboCtkXsZBdYMeP1738950518\r\nhttp://home.sixjp6sr.top/jtrLzFxhLfniIyrmfEOG1737810904\r\nhttp://home.sixtlm16ht.top/nbGcgYkZqJUuAbjyAxww1567697297\r\nhttp://home.sixtlm16sr.top/TGHTqHPiFFfksEXbQHwc1509887296\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 9 of 33\n\nhttp://home.tenja10ht.top/IGVMsWdjbQifeqDGdLik1778133095\r\nhttp://home.tenji10ht.top/MVPXmuUIFAQLfQdTpqGi1776942976\r\nhttp://home.tenjo10ht.top/FXpkGDyUTRqQxEvMSiPD1764033034\r\nhttp://home.tenjo10vt.top/paKURpJFxJCnukXyqZrN1779133042\r\nhttp://home.tenjp10vs.top/SFyYktVKDQBaqLympWfA1794923063\r\nhttp://home.thirtji13ht.top/MwOBqdodAGbyXMofAyrU5986261729\r\nhttp://home.thirtjo13sr.top/bYcMGmpHJcbGkomonWsU0126461730\r\nhttp://home.thirtjo13vt.top/FMmMtBkQtjnpYGvmAcfX3322181730\r\nhttp://home.thirtjo13vt.top/rvAMJqturkAmDaZoTnSo7412361730\r\nhttp://home.thirtjo13vt.top/xaDSPDgkqKmDlPNoQLbs1617302014\r\nhttp://home.tventji20ht.top/axNhXgnGYoPSgajZFkaQ5917298626\r\nhttp://home.tventji20vs.top/NWYJPzCYEvZpxoyKvBIK9295321729\r\nhttp://home.tventjo20sr.top/pLDNcrnQYnSceQqdUDvf0117302646\r\nhttp://home.tventjo20vs.top/SOMOJyZWYBxdybbmZeaW1270101730\r\nhttp://home.tventjo20vs.top/lwRwtEGztSQcWvXoArFS9063941730\r\nhttp://home.tventjo20vt.top/FjnNAcVhtuMKyKxfgwGc3022181730\r\nhttp://home.tventjo20vt.top/fExmNYmMwsMkeOPpBLzG1620141730\r\nhttp://home.tventjo20vt.top/ztcbHfsrgDVbKwvjMmcq7417301236\r\nhttp://home.tventjp20vt.top/julfUeXzXwHcgsxxhkmr6282621730\r\nhttp://home.twelja12sb.top/JLEncoVUzpBxNKNLrTYV1908437312\r\nhttp://home.twelja12sb.top/xKCOYZtRPmSqQvpgghZS1526587311\r\nhttp://home.twelji12ht.top/OsLGYXbzmZdjCMhTnuGb1972979319\r\nhttp://home.twelji12ht.top/VqfNYMmqQHyFNagmJCit1767697297\r\nhttp://home.twelji12ht.top/wUjNbZBIqtyGhfPTmpke1862657298\r\nhttp://home.twelji12vs.top/YKVZcYkIJkgPraRfOHBr1173008199\r\nhttp://home.twelji12vs.top/flyGQWUPyIQmXYOpcFMz1866977299\r\nhttp://home.twelji12vs.top/nXZUoCnprUWelKqFYScP1053297299\r\nhttp://home.tweljo12ht.top/SHfUuTYBULkoesjZJfWj1573051889\r\nhttp://home.tweljo12sr.top/AoVYhzVxzHmClkVkBHzK1964597302\r\nhttp://home.tweljo12sr.top/GDHlEMZKhUWZBxtHkRwh1573028930\r\nhttp://home.tweljo12sr.top/UPMCpUyoKEyLghAHklgZ1473030430\r\nhttp://home.tweljo12vs.top/GGjrrjEDEWQrYYIQCiSz1549107305\r\nhttp://home.tweljo12vs.top/awDRkLatDdHoLFjLkaTk1173065362\r\nhttp://home.tweljo12vt.top/GEZFdXtInPnroqnCxvvX1223677301\r\nhttp://home.tweljo12vt.top/OSVrAwHTMqXZwPLPhTMW1773013581\r\nhttp://home.tweljo12vt.top/UrZpabYUoOYCIETTggQp1273022183\r\nhttp://home.tweljp12ht.top/HoQpbeizPhmxJmnjugER1397367309\r\nhttp://home.tweljp12ht.top/QPoNBSMGOKYXiKKSXopP1257817309\r\nhttp://home.tweljp12ht.top/gwWsuyjcKfHgnGByabIj1771937310\r\nhttp://home.tweljp12ht.top/nQVpoVTlTakzyXMzpriM1279757309\r\nhttp://home.tweljp12vt.top/TLkmyWUrcoKSfuQMaKSm1173082626\r\nhttp://home.tweljp12vt.top/VszWEchGCZleshrQkPDo1986927307\r\nSample files\r\nThe SHA-256 list of downloader samples used in this article is as follows:\r\n001ba21803795a450eac7e26fd14a1ae2ef32a5bad5e30b4dd765aad0e5ce7fe\r\n01eff957b996465538f0e6a79791b1e7e551c2cb2d0e5c259bdc4ae3b13f48d6\r\n02c7c64a8e5e65f6cd16f32bb9b1a4ac975b7479ffff638a2bb085b13825cab5\r\n03e37248166df72e91aeb9640513d5a53ec449da4441af43263b447dbd38408b\r\n051084d7828f88b80d0ae27fdd3c4baebba7fc82a916f8e7ce6376daf548cc20\r\n08be4b7219442aadc19810463457dbd7bab6699f4de6e4dc00617d3429bd5b8c\r\n0ad7e833d526131900916008913dec998360ee6d1a9aacf3997602e1cfc1c3e3\r\n0f0c0fd81a7f69e33f27f920d639b4aa79c13a74f49231a756f41c3e94f206ab\r\n1038bd204447881ed29e44f2288512d14745ad4a9acb1f9c26fbf388f002f9b8\r\n12fa7b47d20f0f21ffeb0981eec1d017f377c9539a4d3ad3fca57897c6f5dfdf\r\n14fcb1e15c8aae420a36ca53373b062b388605409cf3823642f217643126f07c\r\n15b29945c813d2270d4a690719f319e79cda70c1cec2081cba3f05e80b3a549f\r\n166421573e82a6a9ba03c7d10167bdb209fd4197305a719ab78b4c2918d69084\r\n175957c7b7548858c963338e402325ae2bb249f7cd08d23c3e373b32a68d3b19\r\n18b9b073f44dc79731988397997f8875aaf0025f17f89300ca16205b17c0ea35\r\n199c28e2ac8b8cf866190c0733c9c010815b86e1eb842f3a9cfa43a73e05491d\r\n1d346dcbb0a210552c6da5b8fe300c872b04b8aab052803baeb9f99d9062ad72\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 10 of 33\n\n1f14b8a84d6052e40f434e310716c6a19b5604e194fb3a220d6f156a0cf4a7ff\r\n23e7abfa4bbbaf8a8ff8afe139dd1874c4d1aba4826fc462da718ea2147c8c95\r\n25e4f9e539d7e0461c55d4b4fa178c1cbb06760139e360da65648d777f118ca0\r\n27b7915bbef99f765bee8aaa35f232a488c63138e7c0941da9a27d0057c92af6\r\n2b1f016f12fef7124ea7c9898622e650e53814f2d5ff4d76fa712c3e591f9a7f\r\n2bf5e06148f88f0ac9a1a33c9fc5b63b7ce65272fa4a234360600732df185007\r\n30999b396ce17abf02b7bfb537222186a87c1554a1b9521bfb39dbee45a30288\r\n30f0d55b444e180378dfa467bf13b5067b8faba7bc950b4765bb7dbc44ce3ce4\r\n32eefa7f0b2893364c0de189b0c8a509ade84a07a463d6a1802c218f0dbb5817\r\n332c1b9ad302388edf687fa6a4d8d5ca59dc609aac9215f8d5d8e659af6c615b\r\n340d2dc26004646c86973f257b27d0d79491b652b02cc97f9149538cc2b65691\r\n362f40028c50b3f13ea8e3ad2096e94ae325a53306d71263e4468101addf765e\r\n3668b6e8b80edd909860784c326609470a1655c029dc797dbdceea92a81c83b2\r\n3a378046ce52ea095ce8c5ec6aacabb98d73034fbe208dd298cdc75ad3dcfe8e\r\n3accb1c82e64cdfce5d0aacd0093f71727575db426f75b77b6c98869c478ec27\r\n465a1cefe61446110cc521d376651a5074fb87295da5fd64bd74fd25cbab669b\r\n46c168c3108b54ca7f1495182e64b34b4470e8d383781a83a693ec6e6a7725ff\r\n4b53e0fdcd937d34cf27f9938a30b977c1f64b5c954e1dc3225aaf4e7ce908ce\r\n4b81371832a31aa1b9a3f4caf3da072dbadc9793dc92d90ba3ea89c8ba7dd17e\r\n4cd6901726e36bcb39b33343f44a2facb79cfc8bee33e236ff2f603c01bd21a2\r\n4ea653d806dd43b18c85cb0642fdaa92028e04864878c8ecb5c08cbe6eb98d61\r\n5059ef43cacdc5bb03eb52112084059b3fa3c9f75179e52a9e8814f3c91e6a7f\r\n51032e46bebfd6ed04fcc938f5cde48f26df6a0ec48d2b58d31e748c2d87222f\r\n53b55b87c5329665f417c43fa8b44e7054183ab13714fd575f4ec73c1576d8d7\r\n5ba2ca4455a95b2260a81b6e857735aa697146720db7d15508b69583feb4587d\r\n5ea5c9b7b4b7f23b114533a39414f1eac9e6bfd4c1b87786c3840d1f7b6cdf0d\r\n5f8d854a6883175c03086c4dfc5d9c8c797facbff6598b41b837f0945d8f1d1c\r\n60003b32e48d426f486a0763229dc589ba64a4ca12adfe061732b3497df0930d\r\n6008dc1e6448d5f98981eceeb428f0f8eb5ca5d01315073e7751f6812e64b887\r\n606df073790843307f1e2cd1455b947a933def47e8a57b7df62f4a0d5e52a26b\r\n61a6d4566575e72452bd3304822330f9d2f72accc4dbba11be4748618101fd63\r\n6496ed3876803016bf5fb2018c13d9b4f2a7c44253774ebc7c7c36c0e5df7852\r\n65841cfa9f5436f51683d7c359e8f2db9dd66723e6c875c6f5fc67d7b1358689\r\n6813d84987f1ac92fb6b5d7a9f8ddf26424f44a55022cf9fc5563362c225d8b8\r\n690d584a6a58a1e051ab1c0d3c92a3ebbd756125005be6b9ca31c870e801ce90\r\n6a0120bf645d3c65aaadf28db313647e773da4d8be6d440f95e3ef3e020f95ce\r\n6cb9ea7e7b8f9642e1effb00c75397dbcfe04291c3c61b1561786e46773f3fc2\r\n724f947ba0d0b93369f1df6a55fe722889adff5a6f5922d7ab35389feeed13e6\r\n73befffc90b6411e42b25b92b4860c8142c82232ff0fb8c247597d0bc09efdbd\r\n75328c047ffd60f0ef0f461e8efd11b33f296b8229b9917846ee0a10679a3108\r\n76273d86538a5a5ead5ffdae2fcad8d29ae93d736b1f3df1475da71c6a328c7b\r\n7ce85df273257bb57c122c1bdceeebe59c16bd8629eff5ad494fb8c387ed7c8a\r\n8003fd73d5681b78365343e95c96bf7289fbb66ad2e22673099f4ab4e947270f\r\n80c8797268cb88f5bef1791ccc88b62288763a27528709886e55175b9bd94487\r\n8350cb907603e05218052fde1fda489957f768aa49dc6ff122a6471d42101aaf\r\n862331ec037b258171f1d9a5ff7ba0dd92cc82fab9c130513e4bab50821184e3\r\n8682c6f437d339cb9b438cd76f93766dba9ff7db8e9b6ed5103e52d16e93f51f\r\n895d6d80e1b7b5ae2745bd7c7d29c9ad3740a4aea90e3ee5035f60ae91ed7c18\r\n8af6d1cf38790da6c8205c4cfa20d43e79aebde03571bd881379d1fbbf13f07b\r\n8c209705b91becbc186f2aafd2b8dbdffe1b78f0c765ff4d62e9fd7be52c926a\r\n8c81a5f325bacafc6094e8d31881ff27de9ecdbcd1c20d67f1e298be09be2ee7\r\n8f9fb0dbcf09f7b0a2838323c55a4cb3ce5ebd29230b9afc65cc6e23eb57d107\r\n91c3092bc46c0b23b39d0cc10ddeee1b0008d0a12aed25791ed322ef7bc10792\r\n9415e13f69bce584aa0e94ba833d689f892d27960f6b6b353f439e4aee32b1aa\r\n983d11c7f6d115e3938ebc92b1ade92ea247c44632b3330af256693c2641cb99\r\n9b827d471a9e2bd4249aa1cfb80721b97316334fd5aecbc5e2d4296e1c088a12\r\n9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494\r\n9e8de744db5b8cd794226a4df549804f2dcd0f235d035e89305ca093dc3936c2\r\na175dbaa581c7064effea9150163c84d5e6e12f975103c31dc13caeb85b62e47\r\na2490d03cf08a0cc48030c915a1d6f17a7f755edf84f825df7ae752a358d8837\r\na442c37a225f1417da4e67d87d44eb95cb90198f146f09fc4d2da1f716866866\r\na55616e2551ae292c035fdb2ceba08327464394e6ec115c424f0e4340a50634d\r\na725a1282151b3d66b12e29c116980c7837ae3829682914cf920e0b4520808e7\r\naa7c16c9b06e1bc8012e1865a3fa18dd8f43b56c133649fb7ef25400fecea920\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 11 of 33\n\nac94431fdba78b69ba481a37c56e4d067eb26844b64603e946ac402ef344ba4d\r\nb4222cd9bfbe897a10395414da0f744e223aba7c3ffeee68f03dbd167835c3cb\r\nb6e865ee7366584424eee3c120bfa7e510fdd1ddd85bd6e59aef57546be13dbd\r\nb7439cb886010a0f42601044ff3b1ff2cd11873a6e16b6682cba31e052f5865d\r\nbc417517a6b5949226151ed2dc3b398051fabe68c7c1b1ad92279e6425761962\r\nbd309518a3159b042d5f766c6159afbad5b18d8c6058d3a20773899a18314b21\r\nbdd3db5c703b69a6e146f1475d611468ec92053cc25c1b8bd256a56ae1624eb0\r\nbe232e6678efb17e42750a84a60d69ebe71b0bff28e028a375559499782a66b7\r\nc297513faa34104fe812a1e59d0f98fb6fe741d2ddb2fc424dce33ee175a8c7e\r\nc332f3148d35b98d5b9aebb25f7642bf2315476edf8640f4e49a04bff7ef1992\r\nc7049f22ae5ea4adfba9a137ee331874fee567dcfca6ef04cddbd520d7b00ece\r\ncafb2d43814edf00a88b69ef44a0cdd7f8217b05132638bfe62a633b021be963\r\nce3b09833cb88e8dda668604a50dee535f3ab3f9edc258e2a2f389064065d1b9\r\ncf374b923e49a731b035faae8fb0756e71d8377dc4b584fc51595320b1e5bc23\r\nd132b6b606284363684e9ed72fa516c751c5a5447a7af78b803b368a68e1319b\r\nd441fadd2e5dfbf526802b611391a7433578c8b507757bd606f873dde76ba290\r\nd539ced1656cbeda5fb3c9fa7a7dd15d379543877921fb6b988fe1ff0e5cb65a\r\nd8a7d38189c1b552ba07b3c12536c9cb9f7291161180937c08d28c736e3a84bc\r\ndcc3e88eabf7700facf18c6f905d21c1450e38f17190d38afabfb5aede2d2aab\r\nde0461d80b3a5986cd7a290620f4e1096b86a80ecb72e5033af944a0a368e374\r\ndfdc63994c85f7161e25a26b762835781ce5578c6a5b5c2839324fc7faa591d3\r\ne0366f1f6d7d396f6ef06b8398f9d899c94757449ee32b45ff855d77d1442256\r\ne10a1bde9ed99785982416b20443e1c9387375876cf21887f6470f32d29eeac6\r\ne597f985a19237355dd489fa6eb95fdcb22b6d1a5125574aceb1c82e42057e72\r\ne5a9c5284062d9862dba21c860b32d6f58559175af193c052d0d968a17336d98\r\nf0f57933cba2b43988458cab4e386e4949902c23df723a97eb8da53bd8d4a49d\r\nf2c4f0c152acbb4a8e575e6095fc84b6df932e114c4f2a32a69d1ed19c1a55f7\r\nf4c3fecde4a9a5557fe1eca14b6b051aeb3c282780d51163ad4e11ef32454d20\r\nf89b07f4043c0bccd8537ed6a24f15932b9f70cc10743e022487bee62c075f98\r\nfa0aefa912e04ffcb1895e917d24372816c9da6f827b36079eaa115a0349dc0a\r\nfaf630469655fcddb34a6bb2f24a5857bd36fd463760fe7643dbeb3f080b9a72\r\nfba6378aaf31225825c21cc7b06e1e8a408102bdba7a18a1b3d84b23cfe08018\r\nfbcf1356f2c11fe73efe69c1eba77a62ae742c935f3232dbed77657408a06933\r\nStage2 cryptbot files\r\nThe list of Stage2 Cryptbot payload DLLs used in this article includes the following:\r\ndfdc63994c85f7161e25a26b762835781ce5578c6a5b5c2839324fc7faa591d3.dll\r\ndfefcc62121ee76f84d382fc622b61321f149a04a848c8cb987a7bda7ca59941.dll\r\nDetection\r\nYara\r\nimport \"pe\"\r\nrule test {\r\n meta:\r\n author = \"PEZIER Pierre-Henri. Copyright TEHTRIS 2024\"\r\n strings:\r\n $ossl = \"openssl\"\r\n$curl = \"curl\"\r\n$mingw32 = \"mingw32\"\r\n $s01 = \"file_name is %s\" ascii fullword\r\n $s02 = \"password len %d and %d\" ascii fullword\r\n $s03 = \"Memory allocation failed for passw1.\" ascii fullword\r\n $s04 = \"Combined password:\" ascii fullword\r\n $s05 = \"Failed to load DLL from memory\" ascii fullword\r\n $s06 = \"after MemoryLoadLibrary\" ascii fullword\r\n $s07 = \"main\" ascii fullword\r\n $s08 = \"Failed to get the address of the exported function\" ascii fullword\r\n $s09 = \"after MemoryGetProcAddress\" ascii fullword\r\n $s10 = \"after exportedFunction\" ascii fullword\r\n $s11 = \"Hello, World!\" ascii fullword\r\n $s12 = \"Decrypted data: %s\" ascii fullword\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 12 of 33\n\n$s13 = \"Decryption failed.\" ascii fullword\r\n $s14 = \"Failed to download the file.\" ascii fullword\r\n condition:\r\n pe.is_pe and $ossl and $curl and $mingw32\r\n and 5 of ($s*)\r\n}\r\nsnort\r\nalert http any any -\u003e any any (\\\r\n sid: 130000006;\\\r\n metadata: author PEZIER Pierre-Henri. Copyright TEHTRIS 2024;\\\r\n msg: \"CryptBotDropper\";\\\r\n flow: established, to_server;\\\r\n content:!\"User-Agent|3A|\";\\\r\n content:\"GET\"; http_method;\\\r\n http.uri; pcre: \"/\\/[a-z]{15,}[0-9]{8,}/i\";\\\r\n http.host; pcre: \"/^home\\.[a-z0-9]+\\.top$/i\";\\\r\n rev: 1; )\r\nAppendice\r\nStage2 download and decryption script\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n 10\r\n 11\r\n 12\r\n 13\r\n 14\r\n 15\r\n 16\r\n 17\r\n 18\r\n 19\r\n 20\r\n 21\r\n 22\r\n 23\r\n 24\r\n 25\r\n 26\r\n 27\r\n 28\r\n 29\r\n 30\r\n 31\r\n 32\r\n 33\r\n 34\r\n 35\r\n 36\r\n 37\r\n 38\r\n 39\r\n 40\r\n 41\r\n 42\r\n 43\r\nimport pathlib\r\nimport magic\r\nimport sys\r\nimport re\r\nimport struct\r\nfrom termcolor import colored\r\nimport hashlib\r\nimport requests\r\nimport click\r\nimport click_pathlib\r\nfrom Crypto.Protocol.KDF import PBKDF2\r\nfrom Crypto.Cipher import AES\r\nfrom Crypto.Hash import SHA1\r\nimport yara\r\nimport os\r\nYARA = yara.compile(source=\"\"\"\r\nimport \"pe\"\r\nrule test {\r\n strings:\r\n $ossl = \"openssl\"\r\n $curl = \"curl\"\r\n $mingw32 = \"mingw32\"\r\n $s01 = \"file_name is %s\" ascii fullword\r\n $s02 = \"password len %d and %d\" ascii fullword\r\n $s03 = \"Memory allocation failed for passw1.\" ascii fullword\r\n $s04 = \"Combined password:\" ascii fullword\r\n $s05 = \"Failed to load DLL from memory\" ascii fullword\r\n $s06 = \"after MemoryLoadLibrary\" ascii fullword\r\n $s07 = \"main\" ascii fullword\r\n $s08 = \"Failed to get the address of the exported function\" ascii fullword\r\n $s09 = \"after MemoryGetProcAddress\" ascii fullword\r\n $s10 = \"after exportedFunction\" ascii fullword\r\n $s11 = \"Hello, World!\" ascii fullword\r\n $s12 = \"Decrypted data: %s\" ascii fullword\r\n $s13 = \"Decryption failed.\" ascii fullword\r\n $s14 = \"Failed to download the file.\" ascii fullword\r\n condition:\r\n filesize \u003c 10MB and pe.is_pe and $ossl and $curl and $mingw32\r\n and 5 of ($s*)\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 13 of 33\n\n44\r\n 45\r\n 46\r\n 47\r\n 48\r\n 49\r\n 50\r\n 51\r\n 52\r\n 53\r\n 54\r\n 55\r\n 56\r\n 57\r\n 58\r\n 59\r\n 60\r\n 61\r\n 62\r\n 63\r\n 64\r\n 65\r\n 66\r\n 67\r\n 68\r\n 69\r\n 70\r\n 71\r\n 72\r\n 73\r\n 74\r\n 75\r\n 76\r\n 77\r\n 78\r\n 79\r\n 80\r\n 81\r\n 82\r\n 83\r\n 84\r\n 85\r\n 86\r\n 87\r\n 88\r\n 89\r\n 90\r\n 91\r\n 92\r\n 93\r\n 94\r\n 95\r\n 96\r\n 97\r\n 98\r\n 99\r\n100\r\n}\r\n\"\"\")\r\ndef printok(string: str) -\u003e None:\r\n print(colored(f\"[+] {string}\", \"green\"))\r\n@click.command(\"download\")\r\n@click.argument(\"file_path\", type=click_pathlib.Path(exists=True))\r\n@click.argument(\"output\", type=click_pathlib.Path(exists=False))\r\ndef download_stage2(file_path: pathlib.Path, output: pathlib.Path) -\u003e None:\r\n printok(f\"processing: {file_path}\")\r\n file_data = file_path.read_bytes()\r\n # Check the file validity\r\n assert YARA.match(str(file_path)), \"This file does not seems to be a compatible ownloader version\"\r\n # Extract the URL and key from the file\r\n printok(\"Found downloader\")\r\n assert (credentials := re.search(rb\"(?ims)([@a-z\\d]+)\\x00+(http://.*?)(?=\\x00)\", file_data)), \"Unable to find url and k\r\n assert (endurl := re.search(rb\"(\\xE8|\\xBE|\\xBA|\\xBB)(?P\u003ck1\u003e\\d{3,4}).{,128}(\\xB8|\\xBF|\\xB9)(?P\u003ck2\u003e\\d{3,4})\", file_data))\r\n try:\r\n key = credentials.group(1).decode(\"UTF-8\")\r\n url = credentials.group(2).decode(\"UTF-8\")\r\n except UnicodeDecodeError as error:\r\n raise AssertionError(\"Unable to decode url and key\") from error\r\n printok(\"Encryption key extracted successfully\")\r\n # Perform download\r\n url = f'{url}{endurl.group(\"k1\").decode(\"UTF-8\")}{endurl.group(\"k2\").decode(\"UTF-8\")}'\r\n try:\r\n printok(f\"Downloading: {url}\")\r\n response = requests.get(url, headers={\"User-Agent\": \"\"})\r\n except (requests.exceptions.RequestException) as error:\r\n raise AssertionError(\"Unable to connect to the C2\") from error\r\n assert response.status_code == 200, \"Wrong response from C2\"\r\n assert response.content, \"Empty response from C2\"\r\n assert (content_disposition := response.headers.get(\"Content-Disposition\")) and re.search(r'filename=\"(.*);\"', content_d\r\n printok(\"Stage2 downloaded successfully\")\r\n server_key = re.search(r'filename=\"(.*);\"', content_disposition).group(1)\r\n # Decrypt and unpad\r\n combined_password = f\"{key}{server_key}\"[-36:]\r\n aes_key = PBKDF2(combined_password.encode(\"UTF-8\"), response.content[:16], 32, count=100000, hmac_hash_module=SHA1)\r\n cleartext = AES.new(aes_key, AES.MODE_CBC, response.content[16:32]).decrypt(response.content[32:])\r\n cleartext = cleartext.rstrip(bytes((cleartext[-1],)) * cleartext[-1])\r\n # check the output\r\n assert magic.from_buffer(cleartext).startswith(\"PE\"), \"Not a valid PE file\"\r\n output.write_bytes(cleartext)\r\n printok(f\"File extracted to: {output.resolve()}\")\r\nif __name__ == \"__main__\":\r\n if os.name == \"nt\":\r\n os.system(\"color\")\r\n try:\r\n download_stage2()\r\n except AssertionError as error:\r\n print(colored(f\"[-] {error}\", \"red\"), file=sys.stderr)\r\n sys.exit(1)\r\nMisp formatted IOC\r\n{\r\n \"Event\": {\r\n \"info\": \"Cryptbot Malware Indicators\",\r\n \"date\": \"2024-11-15\",\r\n \"threat_level_id\": 3,\r\n \"attribute_count\": 216,\r\n \"attributes\": [\r\n {\r\n \"type\": \"sha256\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 14 of 33\n\n\"value\": \"001ba21803795a450eac7e26fd14a1ae2ef32a5bad5e30b4dd765aad0e5ce7fe\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"01eff957b996465538f0e6a79791b1e7e551c2cb2d0e5c259bdc4ae3b13f48d6\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"02c7c64a8e5e65f6cd16f32bb9b1a4ac975b7479ffff638a2bb085b13825cab5\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"03e37248166df72e91aeb9640513d5a53ec449da4441af43263b447dbd38408b\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"051084d7828f88b80d0ae27fdd3c4baebba7fc82a916f8e7ce6376daf548cc20\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"08be4b7219442aadc19810463457dbd7bab6699f4de6e4dc00617d3429bd5b8c\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"0ad7e833d526131900916008913dec998360ee6d1a9aacf3997602e1cfc1c3e3\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"0f0c0fd81a7f69e33f27f920d639b4aa79c13a74f49231a756f41c3e94f206ab\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"1038bd204447881ed29e44f2288512d14745ad4a9acb1f9c26fbf388f002f9b8\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"12fa7b47d20f0f21ffeb0981eec1d017f377c9539a4d3ad3fca57897c6f5dfdf\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"14fcb1e15c8aae420a36ca53373b062b388605409cf3823642f217643126f07c\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"15b29945c813d2270d4a690719f319e79cda70c1cec2081cba3f05e80b3a549f\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 15 of 33\n\n\"type\": \"sha256\",\r\n \"value\": \"166421573e82a6a9ba03c7d10167bdb209fd4197305a719ab78b4c2918d69084\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"175957c7b7548858c963338e402325ae2bb249f7cd08d23c3e373b32a68d3b19\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"18b9b073f44dc79731988397997f8875aaf0025f17f89300ca16205b17c0ea35\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"199c28e2ac8b8cf866190c0733c9c010815b86e1eb842f3a9cfa43a73e05491d\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"1d346dcbb0a210552c6da5b8fe300c872b04b8aab052803baeb9f99d9062ad72\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"1f14b8a84d6052e40f434e310716c6a19b5604e194fb3a220d6f156a0cf4a7ff\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"23e7abfa4bbbaf8a8ff8afe139dd1874c4d1aba4826fc462da718ea2147c8c95\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"25e4f9e539d7e0461c55d4b4fa178c1cbb06760139e360da65648d777f118ca0\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"27b7915bbef99f765bee8aaa35f232a488c63138e7c0941da9a27d0057c92af6\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"2b1f016f12fef7124ea7c9898622e650e53814f2d5ff4d76fa712c3e591f9a7f\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"2bf5e06148f88f0ac9a1a33c9fc5b63b7ce65272fa4a234360600732df185007\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"30999b396ce17abf02b7bfb537222186a87c1554a1b9521bfb39dbee45a30288\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 16 of 33\n\n{\r\n \"type\": \"sha256\",\r\n \"value\": \"30f0d55b444e180378dfa467bf13b5067b8faba7bc950b4765bb7dbc44ce3ce4\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"32eefa7f0b2893364c0de189b0c8a509ade84a07a463d6a1802c218f0dbb5817\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"332c1b9ad302388edf687fa6a4d8d5ca59dc609aac9215f8d5d8e659af6c615b\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"340d2dc26004646c86973f257b27d0d79491b652b02cc97f9149538cc2b65691\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"362f40028c50b3f13ea8e3ad2096e94ae325a53306d71263e4468101addf765e\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"3668b6e8b80edd909860784c326609470a1655c029dc797dbdceea92a81c83b2\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"3a378046ce52ea095ce8c5ec6aacabb98d73034fbe208dd298cdc75ad3dcfe8e\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"3accb1c82e64cdfce5d0aacd0093f71727575db426f75b77b6c98869c478ec27\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"465a1cefe61446110cc521d376651a5074fb87295da5fd64bd74fd25cbab669b\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"46c168c3108b54ca7f1495182e64b34b4470e8d383781a83a693ec6e6a7725ff\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"4b53e0fdcd937d34cf27f9938a30b977c1f64b5c954e1dc3225aaf4e7ce908ce\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"4b81371832a31aa1b9a3f4caf3da072dbadc9793dc92d90ba3ea89c8ba7dd17e\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 17 of 33\n\n},\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"4cd6901726e36bcb39b33343f44a2facb79cfc8bee33e236ff2f603c01bd21a2\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"4ea653d806dd43b18c85cb0642fdaa92028e04864878c8ecb5c08cbe6eb98d61\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"5059ef43cacdc5bb03eb52112084059b3fa3c9f75179e52a9e8814f3c91e6a7f\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"51032e46bebfd6ed04fcc938f5cde48f26df6a0ec48d2b58d31e748c2d87222f\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"53b55b87c5329665f417c43fa8b44e7054183ab13714fd575f4ec73c1576d8d7\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"5ba2ca4455a95b2260a81b6e857735aa697146720db7d15508b69583feb4587d\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"5ea5c9b7b4b7f23b114533a39414f1eac9e6bfd4c1b87786c3840d1f7b6cdf0d\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"5f8d854a6883175c03086c4dfc5d9c8c797facbff6598b41b837f0945d8f1d1c\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"60003b32e48d426f486a0763229dc589ba64a4ca12adfe061732b3497df0930d\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"6008dc1e6448d5f98981eceeb428f0f8eb5ca5d01315073e7751f6812e64b887\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"606df073790843307f1e2cd1455b947a933def47e8a57b7df62f4a0d5e52a26b\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"61a6d4566575e72452bd3304822330f9d2f72accc4dbba11be4748618101fd63\",\r\n \"category\": \"Payload delivery\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 18 of 33\n\n\"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"6496ed3876803016bf5fb2018c13d9b4f2a7c44253774ebc7c7c36c0e5df7852\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"65841cfa9f5436f51683d7c359e8f2db9dd66723e6c875c6f5fc67d7b1358689\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"6813d84987f1ac92fb6b5d7a9f8ddf26424f44a55022cf9fc5563362c225d8b8\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"690d584a6a58a1e051ab1c0d3c92a3ebbd756125005be6b9ca31c870e801ce90\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"6a0120bf645d3c65aaadf28db313647e773da4d8be6d440f95e3ef3e020f95ce\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"6cb9ea7e7b8f9642e1effb00c75397dbcfe04291c3c61b1561786e46773f3fc2\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"724f947ba0d0b93369f1df6a55fe722889adff5a6f5922d7ab35389feeed13e6\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"73befffc90b6411e42b25b92b4860c8142c82232ff0fb8c247597d0bc09efdbd\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"75328c047ffd60f0ef0f461e8efd11b33f296b8229b9917846ee0a10679a3108\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"76273d86538a5a5ead5ffdae2fcad8d29ae93d736b1f3df1475da71c6a328c7b\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"7ce85df273257bb57c122c1bdceeebe59c16bd8629eff5ad494fb8c387ed7c8a\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"8003fd73d5681b78365343e95c96bf7289fbb66ad2e22673099f4ab4e947270f\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 19 of 33\n\n\"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"80c8797268cb88f5bef1791ccc88b62288763a27528709886e55175b9bd94487\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"8350cb907603e05218052fde1fda489957f768aa49dc6ff122a6471d42101aaf\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"862331ec037b258171f1d9a5ff7ba0dd92cc82fab9c130513e4bab50821184e3\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"8682c6f437d339cb9b438cd76f93766dba9ff7db8e9b6ed5103e52d16e93f51f\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"895d6d80e1b7b5ae2745bd7c7d29c9ad3740a4aea90e3ee5035f60ae91ed7c18\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"8af6d1cf38790da6c8205c4cfa20d43e79aebde03571bd881379d1fbbf13f07b\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"8c209705b91becbc186f2aafd2b8dbdffe1b78f0c765ff4d62e9fd7be52c926a\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"8c81a5f325bacafc6094e8d31881ff27de9ecdbcd1c20d67f1e298be09be2ee7\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"8f9fb0dbcf09f7b0a2838323c55a4cb3ce5ebd29230b9afc65cc6e23eb57d107\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"91c3092bc46c0b23b39d0cc10ddeee1b0008d0a12aed25791ed322ef7bc10792\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"9415e13f69bce584aa0e94ba833d689f892d27960f6b6b353f439e4aee32b1aa\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 20 of 33\n\n\"value\": \"983d11c7f6d115e3938ebc92b1ade92ea247c44632b3330af256693c2641cb99\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"9b827d471a9e2bd4249aa1cfb80721b97316334fd5aecbc5e2d4296e1c088a12\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"9e8de744db5b8cd794226a4df549804f2dcd0f235d035e89305ca093dc3936c2\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"a175dbaa581c7064effea9150163c84d5e6e12f975103c31dc13caeb85b62e47\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"a2490d03cf08a0cc48030c915a1d6f17a7f755edf84f825df7ae752a358d8837\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"a442c37a225f1417da4e67d87d44eb95cb90198f146f09fc4d2da1f716866866\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"a55616e2551ae292c035fdb2ceba08327464394e6ec115c424f0e4340a50634d\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"a725a1282151b3d66b12e29c116980c7837ae3829682914cf920e0b4520808e7\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"aa7c16c9b06e1bc8012e1865a3fa18dd8f43b56c133649fb7ef25400fecea920\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"ac94431fdba78b69ba481a37c56e4d067eb26844b64603e946ac402ef344ba4d\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"b4222cd9bfbe897a10395414da0f744e223aba7c3ffeee68f03dbd167835c3cb\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 21 of 33\n\n\"type\": \"sha256\",\r\n \"value\": \"b6e865ee7366584424eee3c120bfa7e510fdd1ddd85bd6e59aef57546be13dbd\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"b7439cb886010a0f42601044ff3b1ff2cd11873a6e16b6682cba31e052f5865d\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"bc417517a6b5949226151ed2dc3b398051fabe68c7c1b1ad92279e6425761962\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"bd309518a3159b042d5f766c6159afbad5b18d8c6058d3a20773899a18314b21\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"bdd3db5c703b69a6e146f1475d611468ec92053cc25c1b8bd256a56ae1624eb0\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"be232e6678efb17e42750a84a60d69ebe71b0bff28e028a375559499782a66b7\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"c297513faa34104fe812a1e59d0f98fb6fe741d2ddb2fc424dce33ee175a8c7e\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"c332f3148d35b98d5b9aebb25f7642bf2315476edf8640f4e49a04bff7ef1992\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"c7049f22ae5ea4adfba9a137ee331874fee567dcfca6ef04cddbd520d7b00ece\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"cafb2d43814edf00a88b69ef44a0cdd7f8217b05132638bfe62a633b021be963\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"ce3b09833cb88e8dda668604a50dee535f3ab3f9edc258e2a2f389064065d1b9\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"cf374b923e49a731b035faae8fb0756e71d8377dc4b584fc51595320b1e5bc23\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 22 of 33\n\n{\r\n \"type\": \"sha256\",\r\n \"value\": \"d132b6b606284363684e9ed72fa516c751c5a5447a7af78b803b368a68e1319b\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"d441fadd2e5dfbf526802b611391a7433578c8b507757bd606f873dde76ba290\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"d539ced1656cbeda5fb3c9fa7a7dd15d379543877921fb6b988fe1ff0e5cb65a\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"d8a7d38189c1b552ba07b3c12536c9cb9f7291161180937c08d28c736e3a84bc\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"dcc3e88eabf7700facf18c6f905d21c1450e38f17190d38afabfb5aede2d2aab\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"de0461d80b3a5986cd7a290620f4e1096b86a80ecb72e5033af944a0a368e374\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"dfdc63994c85f7161e25a26b762835781ce5578c6a5b5c2839324fc7faa591d3\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"e0366f1f6d7d396f6ef06b8398f9d899c94757449ee32b45ff855d77d1442256\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"e10a1bde9ed99785982416b20443e1c9387375876cf21887f6470f32d29eeac6\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"e597f985a19237355dd489fa6eb95fdcb22b6d1a5125574aceb1c82e42057e72\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"e5a9c5284062d9862dba21c860b32d6f58559175af193c052d0d968a17336d98\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"f0f57933cba2b43988458cab4e386e4949902c23df723a97eb8da53bd8d4a49d\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 23 of 33\n\n},\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"f2c4f0c152acbb4a8e575e6095fc84b6df932e114c4f2a32a69d1ed19c1a55f7\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"f4c3fecde4a9a5557fe1eca14b6b051aeb3c282780d51163ad4e11ef32454d20\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"f89b07f4043c0bccd8537ed6a24f15932b9f70cc10743e022487bee62c075f98\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"fa0aefa912e04ffcb1895e917d24372816c9da6f827b36079eaa115a0349dc0a\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"faf630469655fcddb34a6bb2f24a5857bd36fd463760fe7643dbeb3f080b9a72\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"fba6378aaf31225825c21cc7b06e1e8a408102bdba7a18a1b3d84b23cfe08018\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"sha256\",\r\n \"value\": \"fbcf1356f2c11fe73efe69c1eba77a62ae742c935f3232dbed77657408a06933\",\r\n \"category\": \"Payload delivery\",\r\n \"comment\": \"Cryptbot payload hash\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.eightji8ht.top/KTGbGvOSGlkPaQeuKdDL1572982449\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.eightjo8sr.top/aCrmSMJLJEOsinOjzktg1889307302\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.eightjo8vt.top/APWuDeoyrwjlLWFqpzlR1427917304\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.eightjo8vt.top/GZAiWBsUWZXSjptiVgki1273022183\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.eightjp8ht.top/FlchnxzGeSIHRPHPeYBm1318897305\",\r\n \"category\": \"Network activity\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 24 of 33\n\n\"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.eightjp8vs.top/GyoNxLolJLOIDEEeLXwl1239497306\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.eightjp8vs.top/feCIlgpoToBMdGHZfMGS1673054910\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.eleja11sb.top/sSWxMfiKsjZhqgwqlqVX1737823123\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.elevji11ht.top/XmQBHJYvyxRHnDxzxNoj124497298\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fiveji5ht.top/KlekgDAXLoeekVhmYBHz1732002979\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fiveji5ht.top/daxtYswdSfyAXDsFwHuK1726572986\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fiveji5ht.top/sYxNRoYrKJVZJBDMKRQb1729750322\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fiveji5vs.top/nGdZCFwukcqnsrEfVnqT1732922995\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fiveji5vt.top/NEpdjvSGIHCSlQWulCHt1776642968\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivejo5sr.top/JNzvTWFWHwIXwNBdDJiw1743043030\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivejo5sr.top/bTMlLHJsULflKiuhSKNo1745983026\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivejo5vt.top/WTAjeFpNiEIhCJndAXAf1714163020\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 25 of 33\n\n\"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivejo5vt.top/bLeFEuIyIOOFgvRzlwsw1730462437\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivejo5vt.top/jQDBoCTTJMoxHduEQtVi1718333022\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivejo5vt.top/zViguzTHOAJchzMFSLOa1730123672\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivejp5vs.top/WMIfiIbwGZlEzunsPmAm1791043054\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivejp5vs.top/gEHGWhRNbwRFXwunSKCi1794913063\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivjp5vt.top/GpXJRdeQulqmvESjfFlL1730790181\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.fivjp5vt.top/MzxdLTzahBhrwcHfikEE1730826262\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.forjh4ht.top/wGcuvRVzmafViJJtVGWe1729706625\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.forji14vs.top/SRmkbXbtICjnsFSsyIIU1719933008\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.forji14vs.top/vLzEmBxYDkDWwAHlJbwm1756532992\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.forjo14vt.top/vZEhEBivXldclXHuMstz1714163020\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 26 of 33\n\n\"value\": \"* http://home.forpz4ht.top/cQOBChluQKBYyXAKOlUj1729771262\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.neinja9ht.top/LQEGldMWvlStBQQIEVyV1797523097\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.neinja9ht.top/xplvzowOfiYMuqANrGoq1730957812\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.neinjo9vt.top/TCEdaQJXYbawpvRtmzAl1724603017\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.neinjo9vt.top/fcOoKJiqkEdEfaSKlDpf1730221830\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.neinjp9sr.top/VQZWuwklsiAqwKSHENhk1730865247\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.ninjo19vs.top/kbrGrXsSXkmNPHYxWled1730607975\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.oneji1vt.top/yYwXoctNQsNlxniaRRXW1729687663\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.onejo1vs.top/VlQbIzlsEdAqLBFZBoYY1734910639\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.onejo1vs.top/rwucRRJvgOJMYBxNQZTH1731060549\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.onejo1vt.top/TgyonuAhQqHmRNCTtLXO1730221831\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.onejo1vt.top/VBkFCJscNZobpQzbgGkx1736750123\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 27 of 33\n\n\"type\": \"url\",\r\n \"value\": \"* http://home.onejo1vt.top/pgpVedqwyWTKdnDvLton1739150427\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.onejp1ht.top/EydgSnlRvnipiEFgnals1733640997\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.onejp1ht.top/wjfslbMBCTjPKLMdHjMB1739381071\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.onejp1vt.top/WVWXLEBFUCjXpjDFcYnq1730826262\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sevja17sb.top/LMiwiyYekyuSDTCvLbPv1765833112\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sevja17sb.top/ZsSuJntZcwEFCFkTKSrm1784413120\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sevjoi17ht.top/RZveVhltLlnLSesEiEKb1573051889\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs1204307303\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sevjoi17vt.top/FhmmyqGhAphHaXwiJfvm1273042791\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sevjoi17vt.top/cZQSdrLXfSobDdFnqveX1701417302\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sevjp17vt.top/UDnaUWBbCguivjcJTAFI1730790183\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sevtji17vt.top/AtMFEEDPmrFgjjlYWVjB1487667296\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 28 of 33\n\n{\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sivji6ht.top/nQOeaKPXEODJmfbxNDgw1726939767\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sivjo6vt.top/NkVbPqNMrXCEggsfRWGb1734600172\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sivjo6vt.top/RLcrqDvFJmGzdgZTXBGX1734380462\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sivjo6vt.top/ltLNFctqJMohaGeCvuMv1738320221\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sivjp6ht.top/lBxeEWboCtkXsZBdYMeP1738950518\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sixjp6sr.top/jtrLzFxhLfniIyrmfEOG1737810904\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sixtlm16ht.top/nbGcgYkZqJUuAbjyAxww1567697297\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.sixtlm16sr.top/TGHTqHPiFFfksEXbQHwc1509887296\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tenja10ht.top/IGVMsWdjbQifeqDGdLik1778133095\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tenji10ht.top/MVPXmuUIFAQLfQdTpqGi1776942976\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tenjo10ht.top/FXpkGDyUTRqQxEvMSiPD1764033034\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tenjo10vt.top/paKURpJFxJCnukXyqZrN1779133042\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 29 of 33\n\n},\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tenjp10vs.top/SFyYktVKDQBaqLympWfA1794923063\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.thirtji13ht.top/MwOBqdodAGbyXMofAyrU5986261729\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.thirtjo13sr.top/bYcMGmpHJcbGkomonWsU0126461730\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.thirtjo13vt.top/FMmMtBkQtjnpYGvmAcfX3322181730\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.thirtjo13vt.top/rvAMJqturkAmDaZoTnSo7412361730\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.thirtjo13vt.top/xaDSPDgkqKmDlPNoQLbs1617302014\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventji20ht.top/axNhXgnGYoPSgajZFkaQ5917298626\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventji20vs.top/NWYJPzCYEvZpxoyKvBIK9295321729\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventjo20sr.top/pLDNcrnQYnSceQqdUDvf0117302646\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventjo20vs.top/SOMOJyZWYBxdybbmZeaW1270101730\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventjo20vs.top/lwRwtEGztSQcWvXoArFS9063941730\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventjo20vt.top/FjnNAcVhtuMKyKxfgwGc3022181730\",\r\n \"category\": \"Network activity\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 30 of 33\n\n\"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventjo20vt.top/fExmNYmMwsMkeOPpBLzG1620141730\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventjo20vt.top/ztcbHfsrgDVbKwvjMmcq7417301236\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tventjp20vt.top/julfUeXzXwHcgsxxhkmr6282621730\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.twelja12sb.top/JLEncoVUzpBxNKNLrTYV1908437312\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.twelja12sb.top/xKCOYZtRPmSqQvpgghZS1526587311\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.twelji12ht.top/OsLGYXbzmZdjCMhTnuGb1972979319\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.twelji12ht.top/VqfNYMmqQHyFNagmJCit1767697297\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.twelji12ht.top/wUjNbZBIqtyGhfPTmpke1862657298\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.twelji12vs.top/YKVZcYkIJkgPraRfOHBr1173008199\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.twelji12vs.top/flyGQWUPyIQmXYOpcFMz1866977299\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.twelji12vs.top/nXZUoCnprUWelKqFYScP1053297299\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12ht.top/SHfUuTYBULkoesjZJfWj1573051889\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 31 of 33\n\n\"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12sr.top/AoVYhzVxzHmClkVkBHzK1964597302\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12sr.top/GDHlEMZKhUWZBxtHkRwh1573028930\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12sr.top/UPMCpUyoKEyLghAHklgZ1473030430\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12vs.top/GGjrrjEDEWQrYYIQCiSz1549107305\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12vs.top/awDRkLatDdHoLFjLkaTk1173065362\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12vt.top/GEZFdXtInPnroqnCxvvX1223677301\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12vt.top/OSVrAwHTMqXZwPLPhTMW1773013581\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljo12vt.top/UrZpabYUoOYCIETTggQp1273022183\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljp12ht.top/HoQpbeizPhmxJmnjugER1397367309\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljp12ht.top/QPoNBSMGOKYXiKKSXopP1257817309\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljp12ht.top/gwWsuyjcKfHgnGByabIj1771937310\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 32 of 33\n\n\"value\": \"* http://home.tweljp12ht.top/nQVpoVTlTakzyXMzpriM1279757309\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljp12vt.top/TLkmyWUrcoKSfuQMaKSm1173082626\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"value\": \"* http://home.tweljp12vt.top/VszWEchGCZleshrQkPDo1986927307\",\r\n \"category\": \"Network activity\",\r\n \"comment\": \"Cryptbot C2 URL\"\r\n }\r\n ]\r\n }\r\n}\r\nSource: https://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nhttps://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/\r\nPage 33 of 33",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://tehtris.com/en/blog/cryptbot-downloader-a-deep-cryptanalysis/"
	],
	"report_names": [
		"cryptbot-downloader-a-deep-cryptanalysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434095,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd32ba9f72c237b0f77e6de38175fbd74064d865.pdf",
		"text": "https://archive.orkl.eu/fd32ba9f72c237b0f77e6de38175fbd74064d865.txt",
		"img": "https://archive.orkl.eu/fd32ba9f72c237b0f77e6de38175fbd74064d865.jpg"
	}
}