Malware Analysis Report

2025-08-05 13:59

Sample ID 210514-yfn4zn3mdj
Target 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe
SHA256 3fbbe701191020522bf1488b4015d325f38c46acd07456de0cd8f4035f1ed170
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fbbe701191020522bf1488b4015d325f38c46acd07456de0cd8f4035f1ed170

Threat Level: Known bad

The file 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot Payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-14 07:02

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-14 07:02

Reported

2021-05-14 07:05

Platform

win10v20210408

Max time kernel

39s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe

"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remkoy32.top udp
N/A 8.8.8.8:53 morkqz03.top udp

Files

memory/856-114-0x0000000002650000-0x0000000002731000-memory.dmp

memory/856-115-0x0000000000400000-0x00000000008B9000-memory.dmp

memory/652-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\files_\SCREEN~1.JPG

MD5 e59f7b8fbe078b2323ad1684f82b0fc9
SHA1 1472a1949ce70bf1e96149e07c0c31d2e4520dd8
SHA256 9ae7582e6a72dd04b0d3924634b85cac62bd092ffb8d6b28a62323baeffcf381
SHA512 890d578c5cb760c28b3fb8d248491cb85792661bfd433dd09937b068fe5ee308c3a7ad5c0df58d7593572653acdb4bc4f8e5f17485127495362fc0266d982944

C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\files_\SYSTEM~1.TXT

MD5 11602742bc212ae1d9012f0f6f85b8d2
SHA1 cf35b9b1f646eef9a0be56ff2eacb8c6f61e2960
SHA256 9fbbb3ebff6564e2d164f5dc1db43660831f5a99f490c7309e8793e3745f6de4
SHA512 8071be3ab1f120f2bf3d98d98ab9c61c175dcb5569b916f12b1f20f55809d17171ccd6bdf4ff209492b3702375bb0eaa12076c45925a8c77fbba95821d69eced

C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\NARBWU~1.ZIP

MD5 1de8596c304b64b786dcbd4fed1eee05
SHA1 830c419ccceba00d3076c2dab5acd2db4f46464f
SHA256 067cde49c08a71fb75ac700d4e97bbaf93f44606eec9093e21436545fd2261db
SHA512 f8c678bc1d07ddd38a01426a6f6f3ea6fc7603671e07a980a85e4e78566bff4050728b6cc9abf95c8ac1bd829c932b8b34d3452f67a31a3fda1b5e24a35e80ab

C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\UFGEUW~1.ZIP

MD5 7b83e04d63f292a28fe802c01e219309
SHA1 1a749d0cf97b2e1595cb9e53511fae90d4e5c4e1
SHA256 cc7c454189ff6d8a726a99da3ea51d1d30de4e41b70495642cfe1d9c0aeacd05
SHA512 a80247e94ba4189083325a804d149549cbbd2af722dbb9215fd358e0ff3322fd1e4150d0ecb094e7af9ea22142009c6560a06cb1713e5063be29ebd1abb406d6

C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\_Files\_INFOR~1.TXT

MD5 34d5fdc06d14bf07540a1fb582893fe1
SHA1 77476075b62d656a483ee5e5af2b9c47b94185d3
SHA256 b3980b4afb3fbcc08a28918a2f69f439359b5b8fdcfca720425f4afd9c98736a
SHA512 1074476dba360091f38c03877c26da0507035fc54ab02955e903ef2430b6ab0960d2395444b47c6b98a15fb869b13271dc889cc39b23c8e27a256df5cbadeba3

C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\_Files\_SCREE~1.JPE

MD5 e59f7b8fbe078b2323ad1684f82b0fc9
SHA1 1472a1949ce70bf1e96149e07c0c31d2e4520dd8
SHA256 9ae7582e6a72dd04b0d3924634b85cac62bd092ffb8d6b28a62323baeffcf381
SHA512 890d578c5cb760c28b3fb8d248491cb85792661bfd433dd09937b068fe5ee308c3a7ad5c0df58d7593572653acdb4bc4f8e5f17485127495362fc0266d982944

memory/1268-123-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-14 07:02

Reported

2021-05-14 07:05

Platform

win7v20210408

Max time kernel

7s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe

"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"

Network

N/A

Files

memory/652-59-0x0000000075C31000-0x0000000075C33000-memory.dmp

memory/652-60-0x00000000021C0000-0x00000000022A1000-memory.dmp

memory/652-61-0x0000000000400000-0x00000000008B9000-memory.dmp