CryptBot Info-stealing Malware Distributed Through Phishing Sites

The ASEC analysis team previously introduced a phishing site distributing malware disguised as a utility program. When searching the name of the utility program with a Google search keyword, the malware is shown relatively on the top list. It is being actively distributed even now, and the infection process has been changing continually. In this post, the team will explain the infection process of the recently distributed malware file which is globally known as CryptBot.

Figure 1 and Figure 2 show the phishing sites that distribute malware disguised as utility programs. There are also websites that were translated into Korean.

Figure 1. Phishing Site distributing CryptBot info-stealer malware
Figure 2. Another phishing Site distributing CryptBot info-stealer malware

The malware is downloaded in the zip format. Within the compressed file are another zip file that contains the info-leaking malware and a txt file that contains the unzip password. When the password is entered and the file unzipped, a portable executable named Mainsetupv1.0.exe that is archived with 7zip is revealed, and this is the actual malware.

Figure 3. zip file downloaded from phishing site

Upon being run, Mainsetupv1.0.exe creates four files in the ‘7ZipSfx.000’ directory as shown in Figure 4 and runs the malicious BAT file created as the disguised filename of Naso.avi. The features and identities of the four created files can be roughly summarized as shown below.

  • Naso.avi: Executes malicious BAT file and malicious AutoIt script
  • Pensato.avi: Normal Autoit.exe file of manipulated extension (.avi)
  • C: Runs CryptBot info-stealer malware (Sento.avi) encoded with malicious AutoIt script
  • Sento.avi: Encoded CryptBot info-stealer malware
Figure 4. Malware created from 7zip portable executable file

Figure 5 is the content of the BAT file that belongs to the first execution process. The BAT file changes the normal Autoit.exe of the manipulated extension (.avi) to the one that can be run (.com) and runs the malicious AutoIt script (C).

Figure 5. Malicious BAT file created as disguised filename (Naso.avi)

Figure 6 is the content of the malicious AutoIt script (C). It is obfuscated to make interpretation impossible.

Figure 6. Obfuscated AutoIt script created with disguised filename (C)

Figure 7 is a part of the unobfuscated AutoIt script that bypasses the analysis environment. Through GettickCount, the malware checks and validates data of before and after to see if Sleep is carried out normally. If it’s not the expected value, the malware is terminated.

Figure 7. Unobfuscated AutoIt script – analysis disruption technique

Figure 8 shows the main feature of the unobfuscated AutoIt script. It loads explorer.exe through LoadLibraryExW API to allocate memory space. The script then injects the CryptBot info-stealer malware’s payload — created by processing the first created data of the Sento.avi file — to the allocated memory space.

Figure 8. Unobfuscated AutoIt script – executes encoded payload (Sento.avi)

Figure 9 shows a certain part of the code of CryptBot, an info-stealing malware that is executed ultimately. It is a feature which downloads additional malicious files. Records show that the following Clipbanker malware was downloaded through the feature.

Figure 9. Additional malware file downloading feature of final payload (CryptBot)

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]
– Trojan/Win.Infostealer (2021.05.15.00)

[Behavior Detection]
– Execution/MDP.Scripting.M3728


  • MD5: abd35d575a95891bac53ec57e8d33ccd
  • Phishing Sites
  • C&C
    – http[:]//[.]php
  • Download PE
    – http[:]//[.]php?file=lv.exe

Categories:Malware Information

Tagged as:,

5 2 votes
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] AhnLab Security Emergency Response Center, which provides a detailed analysis of the malware and its components. […]