Malware Analysis Report

2025-08-05 13:59

Sample ID 210513-l44v28h5qs
Target 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe
SHA256 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd0623c0df2fe62bd99986b
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2051799f92fd036d6e1c8a9c06a4aea85a9509214cd0623c0df2fe62bd99986b

Threat Level: Known bad

The file 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot

CryptBot Payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-13 19:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-13 19:01

Reported

2021-05-13 19:04

Platform

win7v20210408

Max time kernel

121s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe

"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"

Network

N/A

Files

memory/1820-59-0x0000000076641000-0x0000000076643000-memory.dmp

memory/1820-60-0x0000000001E10000-0x0000000001EF1000-memory.dmp

memory/1820-61-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-13 19:01

Reported

2021-05-13 19:04

Platform

win10v20210408

Max time kernel

36s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe

"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remdny42.top udp
N/A 8.8.8.8:53 morpgr04.top udp

Files

memory/800-114-0x0000000002260000-0x0000000002341000-memory.dmp

memory/800-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/1472-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\files_\SCREEN~1.JPG

MD5 b957b48143d28f9bdf39a08d5c5ff3e9
SHA1 b9b5817f3c4c31546b252eabdeef1dc64b3f7ff1
SHA256 0b74b355768521f52d3d1ab32e4af0a6bfc6ccdcfa34ff6648eaaf05c79fabd8
SHA512 b82e5e7e8f4d429055b5a1157e01af6c4c99d3b7b39af7d692326d1640ab8b0eb22ff3739e811f50f02ba7cf9005a44a3bab4c5a19ead841d40f086e0eee7f40

C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\files_\SYSTEM~1.TXT

MD5 3ad9bfa82c14c0304f2ee4bea0593e36
SHA1 6a9d0bdd02d09fb072ade7e6bda4db3082917b94
SHA256 55b65d05cf8112cb50dd9c803a5a201e8b0038e496a547036ec973c59837dcbb
SHA512 aacce1b695b89c187d5b1d01d44058ba32be8fcfe303213bbb132dfc3ee3e7cd6b785ed74c8d8b307ad328339baad474d7709e6ef5800d59f55273ef77d7150e

C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\PHCFME~1.ZIP

MD5 1764749f7f6a9d2c4dc1e47469903e35
SHA1 90aefe64a4d21ba3346146a417e543b1afcc43ca
SHA256 1cfe33f1501fbd97f27adb11aeb6556fa91ac2515c4f23ce5afbb3971989520d
SHA512 eff44987c1824bcb235c4bc55232d0bcfd6bf5e6afd5f17b17aadd54ac7fb42aeec9ba54274e635c087d417771e759044561cc2a1c330381af9fd2afb226dcd2

C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\YSIEQK~1.ZIP

MD5 5d1b85daa2595ef6536e9988ee395286
SHA1 2a49f010ce2cdee7a173ad21a8fd89deecf1b475
SHA256 a33f9504d2a60d571d43e94b59d8edac01fe7d2d054ba2b82029a85fd25f8d50
SHA512 6b54f4c796dd98f7ce535da54819e3fe34cebd1e74130f513cba02c45123a34f28aa3dc8dbd99528cc020f9b9b7e0ede4d96b8cf825c30f81e14fcc4531eef32

C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\_Files\_INFOR~1.TXT

MD5 7960f60efd415b2dde98b75e2633bddd
SHA1 ebadd99b2427dc6a2db80a89ec1ca769b8227dcb
SHA256 5a26d99f6ca5c2ab65f5ec259002a5a15492d2578f7c4ee4b391344d3aa39c02
SHA512 57c30d182266c1d17c1c9ffd69f7698bc28d6b4a199a77532bf1b31b8f45140f576ef5bb6b085662672c5a7f40c90eec1214b5580e37720b7ac67fdca12c3678

C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\_Files\_SCREE~1.JPE

MD5 b957b48143d28f9bdf39a08d5c5ff3e9
SHA1 b9b5817f3c4c31546b252eabdeef1dc64b3f7ff1
SHA256 0b74b355768521f52d3d1ab32e4af0a6bfc6ccdcfa34ff6648eaaf05c79fabd8
SHA512 b82e5e7e8f4d429055b5a1157e01af6c4c99d3b7b39af7d692326d1640ab8b0eb22ff3739e811f50f02ba7cf9005a44a3bab4c5a19ead841d40f086e0eee7f40

memory/2076-123-0x0000000000000000-mapping.dmp