Cryptbot Stealer has been switching its behavior in the past weeks from uploading logs to C2 on /gate.php to /zip.php. Maybe there are more changes.
I believe this change has been completed and theres no rule detection for Cryptbot as for now, so old rules must need to be updated.
OLD DETONATION
(Analysis https://kickasscracks.com Malicious activity - Interactive analysis ANY.RUN)
Rules related to cryptbot fired
- ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M1
- ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt
- ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M2
NEW DETONATION
(Analysis https://abbaspc.net Malicious activity - Interactive analysis ANY.RUN)
No rules fired, 0 detection on Cryptbot.
Thanks in advance.