Malware Analysis Report

2025-08-05 13:59

Sample ID 210511-d88dj8gagx
Target a5c463db805e356cb6e73e5676b397eab265e061c6797.exe
SHA256 a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3

Threat Level: Known bad

The file a5c463db805e356cb6e73e5676b397eab265e061c6797.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot Payload

CryptBot

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 15:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 15:16

Reported

2021-05-11 15:18

Platform

win7v20210408

Max time kernel

5s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

Network

N/A

Files

memory/1828-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

memory/1828-61-0x0000000001D50000-0x0000000001E31000-memory.dmp

memory/1828-62-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 15:16

Reported

2021-05-11 15:18

Platform

win10v20210410

Max time kernel

138s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe
PID 4080 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe
PID 4080 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe
PID 1892 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3928 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3928 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 780 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe"

C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe

"C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remdvz22.top udp
N/A 34.86.24.123:80 remdvz22.top tcp
N/A 8.8.8.8:53 morjgs02.top udp
N/A 35.233.146.63:80 morjgs02.top tcp
N/A 8.8.8.8:53 sulsxq03.top udp
N/A 35.245.17.142:80 sulsxq03.top tcp
N/A 35.245.17.142:80 sulsxq03.top tcp
N/A 23.194.19.179:443 tcp

Files

memory/1892-114-0x00000000021D0000-0x00000000022B1000-memory.dmp

memory/1892-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/4080-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe

MD5 2d87ccdf423785e376f9245eef125adc
SHA1 322a8f02c4619760004cdf26fefb4ad4ba0ec23b
SHA256 ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579
SHA512 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5

memory/780-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe

MD5 2d87ccdf423785e376f9245eef125adc
SHA1 322a8f02c4619760004cdf26fefb4ad4ba0ec23b
SHA256 ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579
SHA512 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5

memory/3928-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\_Files\_SCREE~1.JPE

MD5 5b1332919b3513bc965b56fc5bc5bc68
SHA1 7f6f85de1eab9f16900e03b1064c160df3c7c459
SHA256 ffd8670128cf5740678596cb00fd4ef1faff3f40ccafa2e6fde84daedeba42f2
SHA512 1743679e359d8961f4639141f3851788d9678af338e927d81efb6cc03601acb309c2d50982a6e4347b637059b4392f54d4e97e75276636a77a34fd6f3f6aba07

C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\_Files\_INFOR~1.TXT

MD5 60114294d0f5b6749b99bcfcfafd6825
SHA1 01c39e4cfe727413c26667fbf7f6fe460088bbca
SHA256 af263635692125ede35f3924b26028f1cd22ab163d01fcb9effb3394fd54ebea
SHA512 19476baaa64525fcbf31b03374b12e69645d53f0b0cc8a77224b5f149d6828507fd0f7994e1cc5d40d30f3a6fedb619edf18576106f079b7384519b181416d4f

memory/64-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\files_\files\GRANTS~1.TXT

MD5 f0c9e4bf6410178da7e5256f34c5d5c2
SHA1 c783a23ece6351b20832613f60374fa30720280a
SHA256 f96cf3618024b1eefe7a59ff33cd9a505258edf2ecd62106750f99287ef360e1
SHA512 9895e176d5034203a1f8442769fd79e4784061a7420bd5e2c73ac71ef64a66656ce872609a3c6e48871e31499d8c576671f189985d735120d61d200281c95f1d

C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\_Files\_Files\GRANTS~1.TXT

MD5 f0c9e4bf6410178da7e5256f34c5d5c2
SHA1 c783a23ece6351b20832613f60374fa30720280a
SHA256 f96cf3618024b1eefe7a59ff33cd9a505258edf2ecd62106750f99287ef360e1
SHA512 9895e176d5034203a1f8442769fd79e4784061a7420bd5e2c73ac71ef64a66656ce872609a3c6e48871e31499d8c576671f189985d735120d61d200281c95f1d

C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\PTQBUG~1.ZIP

MD5 0da8983dc8cb171d59e627e1723a5109
SHA1 07017effb1b8f738d29112872da759b1bd71955b
SHA256 1bec34dc9d96210ceb08fbbacd55115e15bf373285640c3b06f7fec0c59f994e
SHA512 e0211ee4cf5b1a90a78a1dc47b35ee7d69e33402a36dfe5583211bbeef7526e9c9de37d3d968bf8e86b54192cc462c00af9359c0f1a4674ab48de4e4340c1b6a

C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\FNHLBU~1.ZIP

MD5 7db476f64854d34812a009dbcfbcb1a6
SHA1 4b4e59bd31799f9ca02f4d9cdabfa6388e9d01f3
SHA256 e9553129b0616569ba1300082aee5bb6880fcb224f02e5959c6f247990cd33b2
SHA512 b1e24efc5929ae4ba39e146e26754b82dd5ddfbed9345b095b9220e89a855a531165e02992ebe8187be3e6752ece37473b3c4896b8b0d9777199b5ae3e3a0484

C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\files_\SYSTEM~1.TXT

MD5 4605f57d1247ebfc4a939f57670cb416
SHA1 673c5bfc1535cc06de15f377811f7502528258fb
SHA256 7cf4a059d2fc538c143b7692a719ef41e19eec732fd0b165f9feb590f62119c9
SHA512 740dadc69fe771fa17e19dcd2d17abed1d923ad6d69d8b1c851182d8c7a528fdaf75260fdea1e40cd99be54e195dd4026674f67a57f0a6520fcc7e785a216220

C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\files_\SCREEN~1.JPG

MD5 5b1332919b3513bc965b56fc5bc5bc68
SHA1 7f6f85de1eab9f16900e03b1064c160df3c7c459
SHA256 ffd8670128cf5740678596cb00fd4ef1faff3f40ccafa2e6fde84daedeba42f2
SHA512 1743679e359d8961f4639141f3851788d9678af338e927d81efb6cc03601acb309c2d50982a6e4347b637059b4392f54d4e97e75276636a77a34fd6f3f6aba07

memory/780-130-0x0000000000470000-0x00000000005BA000-memory.dmp

memory/780-131-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1532-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 2d87ccdf423785e376f9245eef125adc
SHA1 322a8f02c4619760004cdf26fefb4ad4ba0ec23b
SHA256 ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579
SHA512 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 2d87ccdf423785e376f9245eef125adc
SHA1 322a8f02c4619760004cdf26fefb4ad4ba0ec23b
SHA256 ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579
SHA512 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5

memory/1532-135-0x0000000000470000-0x000000000051E000-memory.dmp

memory/1532-136-0x0000000000400000-0x000000000046E000-memory.dmp