Malware Analysis Report

2025-08-05 13:59

Sample ID 210514-j8x7mesa9e
Target fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe
SHA256 fe68a629898384bb2edf90406da4c9d6764fd04e5337514e7edd9c2c608d2242
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe68a629898384bb2edf90406da4c9d6764fd04e5337514e7edd9c2c608d2242

Threat Level: Known bad

The file fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot Payload

CryptBot

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-14 09:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-14 09:06

Reported

2021-05-14 09:08

Platform

win10v20210408

Max time kernel

38s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe

"C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remdny42.top udp
N/A 8.8.8.8:53 morpgr04.top udp

Files

memory/740-114-0x0000000002270000-0x0000000002351000-memory.dmp

memory/740-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/744-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs\files_\files\SELECT~1.TXT

MD5 d69cf9a1c59f964c570bcd1094191127
SHA1 d6ec3b0f1a748667321d5d48d8f794192265bf3b
SHA256 a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a
SHA512 65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e

C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs\files_\SCREEN~1.JPG

MD5 767c00d9e641b7eeb7a6dd9d393826b4
SHA1 b96b0229423250126bf3b66deb14617e8d324792
SHA256 0dd2a57e10801fc985be389c152f8f7e2325c25f7e4dbf186da276016316d6dd
SHA512 ee0eecd76a1b3af13ec46bf0f070aea1c49e778ff5fd4591be1a9a97fb96e620a1a0cb06da75d5aa8b852332314431300415cabc61fae26c30f92f1554545abc

C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs\files_\SYSTEM~1.TXT

MD5 2453fa26eb49d5c2bb7f326482cffd95
SHA1 c6a24c640065c414dc561a5bd41083e250375e17
SHA256 cf77febe3c771ca8723c5b28b28213e46b899fe652aed0d25ff980bc6e58c783
SHA512 790533ee3fc2b47fa0b7694dbcca51b9039c7016da1c147a93f4ca6830662ddd697a01837bdd04ba0da935631bd4b9c9f9e49e59dad67232bc3ab790d92c871c

C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs\OJYKIF~1.ZIP

MD5 8d3a5d0e0b015813ff9e767617fe25d8
SHA1 f7f04b6b1b173d5cf3187cf6c28d4b60884db77e
SHA256 e4a446e6b56b0e7abe0f1382918e2522cbb27571f9b25164bfb609d9f7888afb
SHA512 61975684814386c7562bef845ed13abf4b37b92510055863719de2a53fe9fd41e0aa3bbcfda21f6b8feb8c7cb937609356740f6a9689320cd7ade5f02b7025ea

C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs\GQUOAA~1.ZIP

MD5 7ba85bdb503d179ab73946aebd0595cc
SHA1 b44ffbf914c4093f3d3363dee3e0e2254c91de36
SHA256 bb25b0de61863c5df8b9478d6717649a0476fb24c0933576a4aa3200cdd1f3eb
SHA512 5c1e6b58bf9d4bae20d0b1d00e42ff8e08bb5c552191cc65b9cc971d6714a04395e615991c128167ee405602e31cc7f22f7091e8cd55b64f994fb06e1c3daa46

C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs\_Files\_Files\SELECT~1.TXT

MD5 d69cf9a1c59f964c570bcd1094191127
SHA1 d6ec3b0f1a748667321d5d48d8f794192265bf3b
SHA256 a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a
SHA512 65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e

C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs\_Files\_INFOR~1.TXT

MD5 e1a2721d0df4ca8acf26049f0d3179be
SHA1 e779352da20d58a7d8c937b114fa226621c8d11d
SHA256 3de01b0c08c1b290f7b2bf0351e480234747f7e7f2eddd0b8d2ac4ecc9c71e72
SHA512 3b8bed28764e40cba36e30c7ff364accd7ac56da97618cc23bdb0aa0708020d8f9acda4766e06b48401e4780aaf9b6090189ce66d65a2e08d2748e5bbadf42dd

C:\Users\Admin\AppData\Local\Temp\OPsmMqiVs\_Files\_SCREE~1.JPE

MD5 767c00d9e641b7eeb7a6dd9d393826b4
SHA1 b96b0229423250126bf3b66deb14617e8d324792
SHA256 0dd2a57e10801fc985be389c152f8f7e2325c25f7e4dbf186da276016316d6dd
SHA512 ee0eecd76a1b3af13ec46bf0f070aea1c49e778ff5fd4591be1a9a97fb96e620a1a0cb06da75d5aa8b852332314431300415cabc61fae26c30f92f1554545abc

memory/3744-125-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-14 09:06

Reported

2021-05-14 09:08

Platform

win7v20210410

Max time kernel

8s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe

"C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe"

Network

N/A

Files

memory/1704-59-0x0000000075161000-0x0000000075163000-memory.dmp

memory/1704-60-0x0000000001E40000-0x0000000001F21000-memory.dmp

memory/1704-61-0x0000000000400000-0x00000000004E5000-memory.dmp