Cryptbot Stealer - Update on Rules

g0njxa · July 21, 2023, 6:17pm

Cryptbot Stealer has been switching its behavior in the past weeks from uploading logs to C2 on /gate.php to /zip.php. Maybe there are more changes.
I believe this change has been completed and theres no rule detection for Cryptbot as for now, so old rules must need to be updated.

OLD DETONATION
(Analysis https://kickasscracks.com Malicious activity - Interactive analysis ANY.RUN)

Rules related to cryptbot fired

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M1
ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M2

NEW DETONATION
(Analysis https://abbaspc.net Malicious activity - Interactive analysis ANY.RUN)

No rules fired, 0 detection on Cryptbot.

Thanks in advance.

bingohotdog · July 24, 2023, 8:20pm

Thanks for the share, g0njxa. I’ve added a new rule to detect these new Cryptbot variants. It should appear in the release today. If you find new variants, please let us know so we can continue to add detection.

rgonzalez · July 29, 2023, 9:05pm

Believe this was 2046886, thanks!

Topic		Replies	Views
Lumma Stealer Updates Rule Signatures	2	452	September 15, 2023
Mystic Stealer signature Rule Signatures	6	576	June 28, 2023
PennyWise Stealer - Update on rules Rule Signatures	2	379	July 28, 2023
Smartloader Rule Signatures	1	180	March 4, 2024
ObserverStealer Rule Signatures	5	499	June 23, 2023

Cryptbot Stealer - Update on Rules

Related Topics