Malware Analysis Report

2025-08-05 13:59

Sample ID 210515-kn836tes7s
Target ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe
SHA256 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786

Threat Level: Known bad

The file ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot Payload

CryptBot

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 10:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 10:32

Reported

2021-05-15 10:34

Platform

win7v20210408

Max time kernel

8s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe

"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

Network

N/A

Files

memory/1028-60-0x0000000075801000-0x0000000075803000-memory.dmp

memory/1028-61-0x00000000004F0000-0x00000000005D1000-memory.dmp

memory/1028-62-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 10:32

Reported

2021-05-15 10:34

Platform

win10v20210408

Max time kernel

35s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe

"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\KDBZehTde & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remmzp62.top udp
N/A 8.8.8.8:53 mortlk06.top udp

Files

memory/908-114-0x0000000002260000-0x0000000002341000-memory.dmp

memory/908-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/1996-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\KDBZehTde\files_\SYSTEM~1.TXT

MD5 6ec31edd99f354d5488c1040f2fe31bf
SHA1 785fcb53f2eecbde42c493e952eee78fff6403a7
SHA256 4f9c62a20bc01eb204167ca3783da248fc589a9772ac6825462da4f466ae197c
SHA512 fcae88df9a4222842c84e7291688b51f8bd47357e37176e4a42af8604baf2cb9d61601756d95ab2af0e35f71a5192810cdaa670017bbdad7b1c233b4250ec2e8

C:\Users\Admin\AppData\Local\Temp\KDBZehTde\files_\SCREEN~1.JPG

MD5 117b7d0a427c292f405e0a6faa136984
SHA1 cb6a272e4828e82fd43c6c2d399c1a0025e81455
SHA256 9300b488ca66e5f30000c56e896bfea404b16e85a0f28e83d30353011747dee2
SHA512 0821ce596004bf29bf871a5c7dcca1cb98b1879e8455d6d48b76ad40e5efcb8c6d32e2e9ff7b75437fa84acd24f58a5d15415de13b029a22a008aa5ea032a44f

C:\Users\Admin\AppData\Local\Temp\KDBZehTde\CKUQPZ~1.ZIP

MD5 a952c3a2abc4475556e8e34ade8d2dcf
SHA1 4f739dcbaf72a5a945150d8315988617c898a8dd
SHA256 5efd50d243b7b0fd92a32ab6fece5788a9bcba840455630669df1c228d827b41
SHA512 d2e59f9b1ad58367cdde9d3855a259111c44150768dc79fb98cc3950c25f694df17ad53e4dbb06b0c2407cd7631154efa828145f5364132fb2a600acdd4d6ddd

C:\Users\Admin\AppData\Local\Temp\KDBZehTde\BCDNNC~1.ZIP

MD5 7310e0044ae269547f88caa632f98925
SHA1 7a29adbbef81ede0ade8eaa908c3ee9c8c19f76a
SHA256 305d7e723593236d851aeb902112ec6ae48859b7d10b2589c86f823b57fc388f
SHA512 c5b3155db95bb17d770071d2f74d989464d05dea7526729bf8d0c721186b38bcf55c1058be95a7a8b43e610b34ec5e1e14f482160420d25f35449bdcd3eb1576

C:\Users\Admin\AppData\Local\Temp\KDBZehTde\_Files\_INFOR~1.TXT

MD5 1c5eddc8ddd50d9928c3b6c4cc8538aa
SHA1 2b763b8b109eddd0845c981383641eae8ab7aeb0
SHA256 058c649471bacaf689a89772b19830f64c3360da24b5690de6bf979592ecdce1
SHA512 1f57dcde95067590e9337ec620547739b37045be40ef8708277e044fc3525086651872c02ece5d152756a90e54a7056783cb5674324f16900744e5c64d3a9cf8

C:\Users\Admin\AppData\Local\Temp\KDBZehTde\_Files\_SCREE~1.JPE

MD5 117b7d0a427c292f405e0a6faa136984
SHA1 cb6a272e4828e82fd43c6c2d399c1a0025e81455
SHA256 9300b488ca66e5f30000c56e896bfea404b16e85a0f28e83d30353011747dee2
SHA512 0821ce596004bf29bf871a5c7dcca1cb98b1879e8455d6d48b76ad40e5efcb8c6d32e2e9ff7b75437fa84acd24f58a5d15415de13b029a22a008aa5ea032a44f

memory/1340-123-0x0000000000000000-mapping.dmp