Malware Analysis Report

2025-08-05 13:59

Sample ID 210514-d7w5gtlssj
Target 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe
SHA256 3fbbe701191020522bf1488b4015d325f38c46acd07456de0cd8f4035f1ed170
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fbbe701191020522bf1488b4015d325f38c46acd07456de0cd8f4035f1ed170

Threat Level: Known bad

The file 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot Payload

CryptBot

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-14 06:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-14 06:51

Reported

2021-05-14 06:53

Platform

win7v20210410

Max time kernel

48s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe

"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

Network

N/A

Files

memory/1104-59-0x0000000076E11000-0x0000000076E13000-memory.dmp

memory/1104-60-0x00000000008C0000-0x00000000009A1000-memory.dmp

memory/1104-61-0x0000000000400000-0x00000000008B9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-14 06:51

Reported

2021-05-14 06:53

Platform

win10v20210408

Max time kernel

39s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe

"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\FmThvdxtIBfNm & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remkoy32.top udp
N/A 8.8.8.8:53 morkqz03.top udp

Files

memory/764-114-0x0000000002650000-0x0000000002731000-memory.dmp

memory/764-115-0x0000000000400000-0x00000000008B9000-memory.dmp

memory/3756-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FmThvdxtIBfNm\files_\SCREEN~1.JPG

MD5 a9d58199f17d6efcc759687810e2bb10
SHA1 a62557989eeeaad9e8438c0b8126f7631662e06c
SHA256 0b9e36f74a6c5118fd74bfa56e2762360c90eea3eb0d781012164a14ded022b3
SHA512 8e5e19c2adc0e220f57c5555fdbbbc4cdf3c8ccf554dd67576b5a2a3c3cd609d1a7abb58d2721fbb0b07f5d43e479beb5a887a97df60a25f3704d8206cdd6fe3

C:\Users\Admin\AppData\Local\Temp\FmThvdxtIBfNm\files_\SYSTEM~1.TXT

MD5 88e4268957d016d605097a663db326d8
SHA1 d33165a4a8984a487f01d29fcd4ff0bb4e102d08
SHA256 6461a053ce909b080d950d75235cadf8cf4ac3809449caf315a9d5619df2fd1b
SHA512 088a7491be910ea6fa473cef169436b179d126e2b1303b7476a70b673f5674bbcb6473f29f862e9c6c087448916f73e33695e55063d772ad98384dc7885e239f

C:\Users\Admin\AppData\Local\Temp\FmThvdxtIBfNm\HUAHIU~1.ZIP

MD5 1342ee29316d942806c1ef72a71474ad
SHA1 00c024baabcc23568ee51a8a1a9f54ce734bcb66
SHA256 1e7325daea63c8f3a4b5d720fd285fe256a5bb477d71bc241291837ad605d4d2
SHA512 559138960cf1f3642359b4c7f92560b9158d1d18b93df736f7a94de4efaf1d5911d9d4cdde61e9bb5236f6fa1ec31f854ce72a9b2f272fda4cde937cef79ebad

C:\Users\Admin\AppData\Local\Temp\FmThvdxtIBfNm\rwsdhkHM.zip

MD5 a7a0d94e4516b191923a9a91f9beb14e
SHA1 c705667f307ba1164369d9030c00589eb46d6517
SHA256 f9ce92d930a16b074b0ec036e9cf38509b03f0e1dc42023eefbedec90346f5b5
SHA512 e07967f4e6b64bb7feef2611e1cd7c6dc31efda5a070e8456869fb20454217ced8ffbde8df42d1adf6ae45ac8c5d6fca748866e3f6b3d38f56b43f8acc18ceb8

C:\Users\Admin\AppData\Local\Temp\FmThvdxtIBfNm\_Files\_SCREE~1.JPE

MD5 a9d58199f17d6efcc759687810e2bb10
SHA1 a62557989eeeaad9e8438c0b8126f7631662e06c
SHA256 0b9e36f74a6c5118fd74bfa56e2762360c90eea3eb0d781012164a14ded022b3
SHA512 8e5e19c2adc0e220f57c5555fdbbbc4cdf3c8ccf554dd67576b5a2a3c3cd609d1a7abb58d2721fbb0b07f5d43e479beb5a887a97df60a25f3704d8206cdd6fe3

C:\Users\Admin\AppData\Local\Temp\FmThvdxtIBfNm\_Files\_INFOR~1.TXT

MD5 c7805080e8716611a2d17565d40e9d0b
SHA1 300685ffc72e9fa2c559f47cc844ed85bf3105f3
SHA256 05a2702f3204626dac8df2e2908564b7835803dff38e982d6b9824c2505be6d3
SHA512 9e82ec74ba1cca2b40fc0fbc526ad038dc9722a73f71d4d5e22fd4f4b633140cfd2780d383b362601ac5b0829e64f9568d10fbf3ad7b4f84fc59c1903d78441d

memory/3424-123-0x0000000000000000-mapping.dmp