Malware Analysis Report

2025-08-05 13:59

Sample ID 210514-39fxay6e7e
Target 305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe
SHA256 305df52e17cf7e129ece5188cd9bf51102fda9ac812d597c3e29314b06e8b3b8
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

305df52e17cf7e129ece5188cd9bf51102fda9ac812d597c3e29314b06e8b3b8

Threat Level: Known bad

The file 305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot Payload

CryptBot

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-14 16:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-14 16:26

Reported

2021-05-14 16:29

Platform

win7v20210408

Max time kernel

8s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe

"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

Network

N/A

Files

memory/1812-59-0x0000000075801000-0x0000000075803000-memory.dmp

memory/1812-60-0x0000000001DB0000-0x0000000001E91000-memory.dmp

memory/1812-61-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-14 16:26

Reported

2021-05-14 16:28

Platform

win10v20210408

Max time kernel

33s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe

"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remeze52.top udp
N/A 8.8.8.8:53 morhza05.top udp

Files

memory/740-114-0x0000000002280000-0x0000000002361000-memory.dmp

memory/740-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/744-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\files_\files\SELECT~1.TXT

MD5 d69cf9a1c59f964c570bcd1094191127
SHA1 d6ec3b0f1a748667321d5d48d8f794192265bf3b
SHA256 a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a
SHA512 65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e

C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\files_\SCREEN~1.JPG

MD5 2c042c0567f9c6ed2035dd760fa668a1
SHA1 85c83fb3296f5d4206e233f3bb29d9103af9c7b3
SHA256 dff28b58a90784614c7be6667184927357221df1c4c75b252c91aeea1b5b4c6e
SHA512 925ac94eb716d549a079e9cae063e580d26fa017eacc14b5c5fb0b6d545701b80f7aec1e39350e252dce40971d67a63deda762658b706b2a3c128fd45cd4464a

C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\files_\SYSTEM~1.TXT

MD5 be1a855e9d6e7d79ed985516326c89c5
SHA1 b42c5979938e76e6622a99cb11821fe5951d784d
SHA256 b2cc20df0797646347d683369a2360527007a16201f32bee6e7f62b5e82aa1e9
SHA512 5cfc6f4b03142f1732a78a950fde19ff72293ca186b0710f44e637f4506b697fdd8fae5c707cc6c2cff0931c71346b80c8a0884f703683e9504978ab7e7e0c65

C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\LHRFWM~1.ZIP

MD5 6bd7f6a9da3054a7b61313a145842950
SHA1 8da32ea4a7770dc18b5655806fed08e665ff0f3d
SHA256 688e2d0dfd24db504afcd30ac7ea92123487d9d30d746673dca9169efac6ff30
SHA512 1044a1d500e24bedbb4ea2c8171ed6b29b1bbb128f3c91e34110ba46bd3d5e4909c510e5bacba2bcdb6e48e0d7cb7504245a1f432f53775c506f660e52d284bd

C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\NOEWTH~1.ZIP

MD5 3cfb460b059e5e503686d8864723b210
SHA1 2df1ea51eaa47359fb116081e21b931d0b03b52d
SHA256 cf93148c395ddfb4f52933b0b18e147d0bead3f83582b6cec4ac71e0a2f21411
SHA512 122b10d62a648642bb4398e6595d177556dda52cb1416aea659eaffebc92010c795a56be1d3cb6f7c5d5d09d8eaae17c5d0f539b2d2466eb10fc53fadc264711

C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\_Files\_Files\SELECT~1.TXT

MD5 d69cf9a1c59f964c570bcd1094191127
SHA1 d6ec3b0f1a748667321d5d48d8f794192265bf3b
SHA256 a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a
SHA512 65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e

C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\_Files\_INFOR~1.TXT

MD5 63a1190e5fae95637f0e2a68a769df7e
SHA1 6fa29947a36d1854aec53708089b4727cc37f690
SHA256 85ee6db014a07a8a156198f551cce3903a165660e76c3e450485e0f051cc300a
SHA512 78482cad7d7c395f0919f86fad30ae702f9669afb2b8e3168f0081994cd9408f9267f8c183404ca83142f8611b49ece2dc874cf61d7dcad99527c9a6c02f715b

C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\_Files\_SCREE~1.JPE

MD5 2c042c0567f9c6ed2035dd760fa668a1
SHA1 85c83fb3296f5d4206e233f3bb29d9103af9c7b3
SHA256 dff28b58a90784614c7be6667184927357221df1c4c75b252c91aeea1b5b4c6e
SHA512 925ac94eb716d549a079e9cae063e580d26fa017eacc14b5c5fb0b6d545701b80f7aec1e39350e252dce40971d67a63deda762658b706b2a3c128fd45cd4464a

memory/2812-125-0x0000000000000000-mapping.dmp