Malware Analysis Report

2025-08-05 13:59

Sample ID 210511-tg3dnxycle
Target a5c463db805e356cb6e73e5676b397eab265e061c6797.exe
SHA256 a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3

Threat Level: Known bad

The file a5c463db805e356cb6e73e5676b397eab265e061c6797.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot

CryptBot Payload

Executes dropped EXE

Downloads MZ/PE file

Drops startup file

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 16:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 16:02

Reported

2021-05-11 16:04

Platform

win7v20210410

Max time kernel

5s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

Network

N/A

Files

memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp

memory/308-61-0x00000000004F0000-0x00000000005D1000-memory.dmp

memory/308-62-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 16:02

Reported

2021-05-11 16:04

Platform

win10v20210408

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe
PID 3852 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe
PID 3852 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe
PID 800 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2104 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2104 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1352 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1352 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1352 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe"

C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe

"C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remdvz22.top udp
N/A 34.86.24.123:80 remdvz22.top tcp
N/A 8.8.8.8:53 morjgs02.top udp
N/A 35.233.146.63:80 morjgs02.top tcp
N/A 8.8.8.8:53 sulsxq03.top udp
N/A 35.245.17.142:80 sulsxq03.top tcp
N/A 35.245.17.142:80 sulsxq03.top tcp

Files

memory/800-114-0x0000000002370000-0x0000000002451000-memory.dmp

memory/800-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3852-116-0x0000000000000000-mapping.dmp

memory/1352-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe

MD5 2d87ccdf423785e376f9245eef125adc
SHA1 322a8f02c4619760004cdf26fefb4ad4ba0ec23b
SHA256 ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579
SHA512 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5

C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe

MD5 2d87ccdf423785e376f9245eef125adc
SHA1 322a8f02c4619760004cdf26fefb4ad4ba0ec23b
SHA256 ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579
SHA512 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5

memory/2104-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\BQCNYR~1.ZIP

MD5 b1fad4ac80a03bc3904ef3850e837922
SHA1 69d29ae2c15f28b5d29feffefc255acb2fce42eb
SHA256 e4fb968c71aecb381168e1dd278c33abf9bacfe931dc69ff743f26aa062998ae
SHA512 2ecf244760f5235093a9d61d0087db917c571efb13faead27df63c8db9531feb544d87a664e638720b66a0390725ac1df3bbad3f640fba45a89c7b86fba03b45

C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\files_\SYSTEM~1.TXT

MD5 25cc80a9de89811cd4862587c885e8a6
SHA1 d39e7d5b25b70410d09ccaa8d4d47d33af29ab2b
SHA256 bdfefa9700a708865464b4d9deb7ec40393ce22a51be207d2dd8b2c6fb5e76de
SHA512 0545995bc01ef303ea9d9fa040f31386d9343125d504b9a66111244dbbdf5746feca21b7bd5022b8f219c8fab01dda67e529bdbb5422aa591a5a945cda63c7f3

C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\files_\SCREEN~1.JPG

MD5 4f3ca61efa9018c52fac864a0e0fbb6a
SHA1 ffa0ddd1757a613141a56a67425f336d8ce07f0c
SHA256 0240617843cb958b8efec7e7144258b474106951b4f7cfabc6bd6cab8344264f
SHA512 e8d3659d791501c44be1aaac4425a7795ae9cabdd6143650ba84c315c0f46b418d206d5d95469face45b28f79e9c2676f2fd4aed80cb6b2319459bb68bcfc3bb

C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\cDamPLNm.zip

MD5 7b251e85eac31ad60316f5ab8d2e4a56
SHA1 6378008383c0f6b03051665eb98a0b46f5ec9b96
SHA256 aa8db87a356e0e8bc753199c1930bb7555c070834d23adf373d5f2e170a6b8b5
SHA512 523f7e68ee2dc35fbac753fa7cfd78b4647513bfd4866226ecc78b0355fb0a9b399b0bd093e795c44e6feaf1043a2992873ce000a465c47e313b88d8f1878812

C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\_Files\_SCREE~1.JPE

MD5 4f3ca61efa9018c52fac864a0e0fbb6a
SHA1 ffa0ddd1757a613141a56a67425f336d8ce07f0c
SHA256 0240617843cb958b8efec7e7144258b474106951b4f7cfabc6bd6cab8344264f
SHA512 e8d3659d791501c44be1aaac4425a7795ae9cabdd6143650ba84c315c0f46b418d206d5d95469face45b28f79e9c2676f2fd4aed80cb6b2319459bb68bcfc3bb

C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\_Files\_INFOR~1.TXT

MD5 7fba04fa4f54150a98f09168a82d208b
SHA1 48704599a112c7c9432fb73ff6ed9c4ada56f51e
SHA256 9d411087615dd6df6be56b25aea9648e14e021096bdcd3f7ad4ba18adbe4895e
SHA512 2e1a4f870eec1d78c807095404dd033e181a2d9ea49ef287ea2330d9b1adf1615760506d43ad175233329bcbeb05ed673ac83f5d9371691ab5f076e83f2a8449

memory/908-127-0x0000000000000000-mapping.dmp

memory/1352-128-0x0000000001F60000-0x0000000001F86000-memory.dmp

memory/1352-129-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4088-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 2d87ccdf423785e376f9245eef125adc
SHA1 322a8f02c4619760004cdf26fefb4ad4ba0ec23b
SHA256 ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579
SHA512 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 2d87ccdf423785e376f9245eef125adc
SHA1 322a8f02c4619760004cdf26fefb4ad4ba0ec23b
SHA256 ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579
SHA512 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5

memory/4088-134-0x0000000000400000-0x000000000046E000-memory.dmp