Malware Analysis Report

2025-08-05 13:59

Sample ID 210514-fza9l533la
Target 305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe
SHA256 305df52e17cf7e129ece5188cd9bf51102fda9ac812d597c3e29314b06e8b3b8
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

305df52e17cf7e129ece5188cd9bf51102fda9ac812d597c3e29314b06e8b3b8

Threat Level: Known bad

The file 305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot

CryptBot Payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-14 17:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-14 17:02

Reported

2021-05-14 17:06

Platform

win7v20210410

Max time kernel

123s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe

"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

Network

N/A

Files

memory/1088-60-0x00000000753B1000-0x00000000753B3000-memory.dmp

memory/1088-61-0x00000000002F0000-0x00000000003D1000-memory.dmp

memory/1088-62-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-14 17:02

Reported

2021-05-14 17:06

Platform

win10v20210408

Max time kernel

36s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe

"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remeze52.top udp
N/A 8.8.8.8:53 morhza05.top udp

Files

memory/708-114-0x0000000002180000-0x0000000002261000-memory.dmp

memory/708-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2176-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\BRSPPO~1.ZIP

MD5 7ed113173c77580f1ec6d49a0850d6d6
SHA1 7533ba6a5b8e2ffdb8aa965bcdb24751f4913542
SHA256 1bb8ff2e58b052933f85c3e6de7982eadcb80feeeb23c3505f6f297af2cf6234
SHA512 a4dfc90a877a658a32302d065bf41c06356a708692ede6899c7c1d71ad2426ebebfe6f4a678870ee75ba20bed012bc7c58b069bf1f26a4d31b4bd64fa8711948

C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\files_\files\CLOSEU~1.TXT

MD5 86dc1bdd11b9ca73ec301305b167f9b8
SHA1 26afe227fd790a0ab3918bdda27e7de13bcac224
SHA256 9c7d31edcaf4de852f28fba72e0fb36557cef765fdf04ae4548726bd9ef94c10
SHA512 b897e3c5ed396071f476a6e725e338c74a459e9945380753bee5bca823143db0af8bfcd400e08e1a5b6d054d001e78c1b104c5e7c3edc288b6580bbaa46a76f9

C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\files_\SCREEN~1.JPG

MD5 211040af06f9a64c3fc58699d8a9a4e0
SHA1 3e7999bc405e12d99b9e9783167ca52825a00e9e
SHA256 539988bd11e12417d2bea29c95d62fdb9fbdca4817bfc5383e2ced9ec28a4637
SHA512 d60db8566e9d46ce6964cda89d0bf3f421913d6f906d44a351ae3fb25ec7d2191f13e1d45420e2d4de0777c500bff2a96667db670eeeaa477ea2da3846053708

C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\_Files\_Files\CLOSEU~1.TXT

MD5 86dc1bdd11b9ca73ec301305b167f9b8
SHA1 26afe227fd790a0ab3918bdda27e7de13bcac224
SHA256 9c7d31edcaf4de852f28fba72e0fb36557cef765fdf04ae4548726bd9ef94c10
SHA512 b897e3c5ed396071f476a6e725e338c74a459e9945380753bee5bca823143db0af8bfcd400e08e1a5b6d054d001e78c1b104c5e7c3edc288b6580bbaa46a76f9

C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\UWBMRU~1.ZIP

MD5 fd1f2eb523b84ba65492e439d9e46c1e
SHA1 d45118e4fc20cf63b165036f4eba1db7d4986349
SHA256 4cabe5b428ab638e7f7696f6517335f68ea57e7220a687c1083b0a57696cad59
SHA512 24998637f3b2bd716948867c75adac548d2e42bf5b261a0d73e590a51aa1bb7042028a62117247215a1c67c9b73ff1d948d06dbcfba36712d87dac2d66f16a0c

C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\files_\SYSTEM~1.TXT

MD5 c8eae4e0809a6e60face7b5ea849f2a9
SHA1 17274a7497d879bdb2519b58793c0368538984d8
SHA256 7f09e7c7bcde738ed86ced285793782348887078d072de0b26be76423c0968f5
SHA512 6425bd07c541a12a48737887c4cf1506d282e55e5f7965f1a86a6fd83b94d93d0f3da44eb0b287b4674bf68054615e4bd7cc13ab4d53d1009ccd695453294eb5

C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\_Files\_INFOR~1.TXT

MD5 aeb358df5eb08bc27d188ab8d8d2fde1
SHA1 bb5ebbf99f2551762647f450468d49d20df1306e
SHA256 38f9ff0b078f4a7ae291b2a78f1941982e815fc0f49362955085bddcc164634e
SHA512 4ba302c40fa6ea404ff4be3c80ced4417055773f43ef232e48202ab18fcf0e38b39b4e7beed6d9deae7cf1ff8ada5e48d36ee4bfe0232401f56173f06eaf5c9f

C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\_Files\_SCREE~1.JPE

MD5 211040af06f9a64c3fc58699d8a9a4e0
SHA1 3e7999bc405e12d99b9e9783167ca52825a00e9e
SHA256 539988bd11e12417d2bea29c95d62fdb9fbdca4817bfc5383e2ced9ec28a4637
SHA512 d60db8566e9d46ce6964cda89d0bf3f421913d6f906d44a351ae3fb25ec7d2191f13e1d45420e2d4de0777c500bff2a96667db670eeeaa477ea2da3846053708

memory/1312-125-0x0000000000000000-mapping.dmp