Malware Analysis Report

2025-08-05 13:59

Sample ID 210511-tvaxm2baps
Target a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c
SHA256 a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c
Tags
themida cryptbot discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c

Threat Level: Known bad

The file a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c was found to be: Known bad.

Malicious Activity Summary

themida cryptbot discovery evasion spyware stealer trojan

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Reads user/profile data of web browsers

Deletes itself

Checks BIOS information in registry

Themida packer

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 10:11

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 10:11

Reported

2021-05-11 12:21

Platform

win7v20210410

Max time kernel

82s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe

"C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\aRuqKYUHjcVND & timeout 1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 1

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 sdaurr02.top udp
N/A 58.64.137.69:80 sdaurr02.top tcp

Files

memory/1052-59-0x0000000075721000-0x0000000075723000-memory.dmp

memory/1052-60-0x0000000000400000-0x0000000000AFE000-memory.dmp

memory/1052-61-0x0000000002D40000-0x000000000398A000-memory.dmp

memory/592-62-0x0000000000000000-mapping.dmp

C:\ProgramData\aRuqKYUHjcVND\172773~1.TXT

MD5 ae5044b0d999aebf4ebe23cf70e2b915
SHA1 0e5246e7eafbb8011ba75c344a95204a72d505cb
SHA256 3dc9a0d906a8b59bb6cb2bc6caabb1a6fd61e96343a770aac9c97e0981fc140d
SHA512 53b390a2c03fe1d8a2c806035b34ab4efc9ae38790392e00a89c251abc8f56c8ca7f82f088ed8f5c09e8c0dd2df816a46e4ae5c8a09729a41c3c16c7755196d4

C:\ProgramData\aRuqKYUHjcVND\Files\Browsers\Cookies\MOZILL~1.TXT

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

C:\ProgramData\aRuqKYUHjcVND\Files\Browsers\_FILEF~1.TXT

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

C:\ProgramData\aRuqKYUHjcVND\Files\Browsers\_FILEC~1.TXT

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

C:\ProgramData\aRuqKYUHjcVND\Files\Browsers\_FILEP~1.TXT

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

C:\ProgramData\aRuqKYUHjcVND\Files\_FILEP~1.TXT

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

C:\ProgramData\aRuqKYUHjcVND\Files\_Screen.jpg

MD5 433d8658da6106a66128419e74ff1c32
SHA1 eac9e7b8a64d1a32e1da09a1dca9dad494fba2a4
SHA256 76bd4d866ee60d7d88462fa964ecb0a2bd32e44b8bf61c620fab12e3deb2b943
SHA512 dda5b1f11873b8a7c2c049ad7477303ff6216b8cee254709065716097bf921a9b9cab25ac2feb419991c3166d9d4162efacaabc98fe048685809f2323e67662c

C:\ProgramData\aRuqKYUHjcVND\JTGAXU~1.ZIP

MD5 b8f34b1fc13ccabffaf6c122679497d0
SHA1 8224e7626cd738e9d496567536d6f5db6fa9339e
SHA256 afb30b8f022900f04d145eb10b3986220171b2d7a3ea1e8dd14ca52364166632
SHA512 7eb7d30957728bbbf5424d89e55348505c5bb4bac510b2e126f53b31a29acb0a93bd6e4d5d2c1117d5f10c022007be19daf50b2fc341457764c2dde46de53f0a

C:\ProgramData\aRuqKYUHjcVND\mocc.db

MD5 89d4b62651fa5c864b12f3ea6b1521cb
SHA1 570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA256 22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512 e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

C:\ProgramData\aRuqKYUHjcVND\Files\_Info.txt

MD5 05c84151bf9b6e02634a59a6ab7a33d8
SHA1 3a4cb3e0a10d522d96d7670c96e2b7afa2a325ab
SHA256 20f96bbdba79257e31d625d1d8a6f1d95611874f3819f0beec866f4004ac57f0
SHA512 813f6db2f79f9071f3adc7f5e7d73a819d5bbba3da15f5b34c2cbebc61e8554dafe994a83c9b63f06254c78ff1a72492e18fc7f360d69d76ecd91f3e707c00ed

memory/828-73-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 10:11

Reported

2021-05-11 12:21

Platform

win10v20210410

Max time kernel

109s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe

"C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"

Network

N/A

Files

memory/3700-114-0x0000000000400000-0x0000000000AFE000-memory.dmp

memory/3700-115-0x0000000077320000-0x00000000774AE000-memory.dmp