Malware Analysis Report

2025-08-05 13:59

Sample ID 210514-kgz7hmgqnn
Target a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.zip
SHA256 5af391be90cda339cdd429d328f31292dd1018dd6817da3a5d989c2641a7050b
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5af391be90cda339cdd429d328f31292dd1018dd6817da3a5d989c2641a7050b

Threat Level: Known bad

The file a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.zip was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot Payload

CryptBot

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-14 01:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-14 01:23

Reported

2021-05-14 01:26

Platform

win7v20210410

Max time kernel

5s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe"

Network

N/A

Files

memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmp

memory/788-60-0x00000000004F0000-0x00000000005D1000-memory.dmp

memory/788-61-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-14 01:23

Reported

2021-05-14 01:26

Platform

win10v20210408

Max time kernel

35s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe

"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remdvz22.top udp
N/A 8.8.8.8:53 morjgs02.top udp

Files

memory/740-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/740-114-0x00000000023B0000-0x0000000002491000-memory.dmp

memory/776-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw\files_\files\SELECT~1.TXT

MD5 d69cf9a1c59f964c570bcd1094191127
SHA1 d6ec3b0f1a748667321d5d48d8f794192265bf3b
SHA256 a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a
SHA512 65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e

C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw\files_\SYSTEM~1.TXT

MD5 09373838c3d9d007901715e3ab73d66b
SHA1 604f560d74ade68c0df9555380752dce8a939bd5
SHA256 14a6e37f9c5c20c9e80f6bca35bc1d878332f99b9a5e1285a144cf561cbf5f71
SHA512 c624e994e497c5e870cbd6bed0034844036068ac3313a8c1bd98f10c8587fea5738d89f3d09b40ba5e7fcf1a6c16d2507099008be259133109b73f8974adc64e

C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw\_Files\_Files\SELECT~1.TXT

MD5 d69cf9a1c59f964c570bcd1094191127
SHA1 d6ec3b0f1a748667321d5d48d8f794192265bf3b
SHA256 a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a
SHA512 65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e

C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw\WMPXDT~1.ZIP

MD5 4826ae324f90b15270dfdc2e746c78bb
SHA1 57a234501f54dcae39dd8a737510c70cb3a7b23f
SHA256 2d63960663bbac224a13953573a29488a150cca317334001a1830e48ba6d0d93
SHA512 2099443c26b43a87d6028a8d312ba3fb936a2f56fa50dc161066d25bdeb9c51e42fd8b6849501fa88ef8f5f36688011dce139480094f04cf24b146086a1eb3d6

C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw\LKYZVQ~1.ZIP

MD5 fbd9c0b05d71ea78479d7d08722bb8f6
SHA1 a8daee64790d7ae8e82ec3ec2c671ccdbb507e95
SHA256 08f81678e98fa99824b0a9f1d3fa57e28d7ac69be3213510d4d1aa12707aac80
SHA512 eae709fc1c715b3aa3451183f859101117670f19c5d3572e4a24bce62d2a518f54d77d2567518af8b1c90d138d4ba5ad65f0f4d6ed9722925b1b837e4b3a4f2b

C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw\files_\SCREEN~1.JPG

MD5 b5c3d990fd8e0282386255f018832b93
SHA1 c08ff7dd616bfc9f00f4562cead549e98fcf5d90
SHA256 afa66688b826e12c52a9f5cce055d6da6da608d4a7882b6d5e35df9ea85376cb
SHA512 3134f14bc0094110cf1e22abf37360c09892861ebfd8f1544deaef82df62c1a35481e531e9802421b774c9f005c6839bb9c66c1448605b3df59523bababe472c

C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw\_Files\_INFOR~1.TXT

MD5 fdec9beac2623d9c38f5d0130a506d83
SHA1 a495bd976d82cd04973be7d3b4812739cf37e2cf
SHA256 35a8870c441f230b229061d524e6eb3a1a905022d6edce59c05c16ca8e966281
SHA512 1a77d3e73121f8026e3d3e47c365dfd2995d4a03912f89fc84375eb15d4a11d945f6223a4f8bce91f0b2d7c2869088d58b09a2944ca6c54fe27b2d53b604ee51

C:\Users\Admin\AppData\Local\Temp\WZVgnyfPoLqw\_Files\_SCREE~1.JPE

MD5 b5c3d990fd8e0282386255f018832b93
SHA1 c08ff7dd616bfc9f00f4562cead549e98fcf5d90
SHA256 afa66688b826e12c52a9f5cce055d6da6da608d4a7882b6d5e35df9ea85376cb
SHA512 3134f14bc0094110cf1e22abf37360c09892861ebfd8f1544deaef82df62c1a35481e531e9802421b774c9f005c6839bb9c66c1448605b3df59523bababe472c

memory/1416-125-0x0000000000000000-mapping.dmp