cryptbot | f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420

Analysis

max time kernel
120s
max time network
143s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe
Size

2.7MB
MD5

e55422d97015ca9945114cebaeba4cbf
SHA1

671d3c900b4aa7b4568e8a4c61a49075fc74484b
SHA256

f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420
SHA512

9453ae884da5d039fa0ca4fc33216b1ca02d2b40831edf534d7fde16a01c045f1c49ae7935ab317cd6f515e21a9a22ee14cbf3a068627b03e334cdc115603f6f

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

dainfe42.top

morvtu04.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/752-115-0x00000000000A0000-0x0000000000793000-memory.dmp	themida
behavioral1/memory/752-116-0x00000000000A0000-0x0000000000793000-memory.dmp	themida
behavioral1/memory/752-118-0x00000000000A0000-0x0000000000793000-memory.dmp	themida
behavioral1/memory/752-117-0x00000000000A0000-0x0000000000793000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

pid process

752 f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1184 timeout.exe

pid	process
1184	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

pid	process
752	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe
752	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.execmd.exe

description	pid	process	target process
PID 752 wrote to memory of 956	752	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe	cmd.exe
PID 752 wrote to memory of 956	752	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe	cmd.exe
PID 752 wrote to memory of 956	752	f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe	cmd.exe
PID 956 wrote to memory of 1184	956	cmd.exe	timeout.exe
PID 956 wrote to memory of 1184	956	cmd.exe	timeout.exe
PID 956 wrote to memory of 1184	956	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe
"C:\Users\Admin\AppData\Local\Temp\f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\QMVVUA~1.ZIP
MD5
1afde88099eb54c24cf24e123629a821

SHA1
c7c7a2e4577fe7a7afc34588c99d39d7150ffc99

SHA256
0fedc2143ab1391b8a6c3d16c64699563913567a67a9841f2e663f06fed21e1e

SHA512
a7f4792c4b573091226bafda91fa077ec3edf9c269902cc8486bdd5ce1595774cfb9fd49d581a12b3a9d806d0764ca7d1c72594292f4facd9d3dfe05e2cd8b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\SPPTOS~1.ZIP
MD5
c91f5ed9ed075c653d1bd6b90e647a4f

SHA1
9505c7538bcfc4598c73251e1f0e584cedf89a21

SHA256
d2fac8502b11298240cb18a6ffd899af719ebb9b5a392f3425ff7ec3698660f4

SHA512
ac50d3abf86a8e45b0157263787322c24b1427cf5b06a6fe4dab5f8663ba6e001d9048c638d74ca82465ab885887516ec4193009c9b41256f10ea686b0c2b465

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_Chrome\DEFAUL~1.BIN
MD5
09500b419541e759ce53d87e324fe8fc

SHA1
4b882732508d2fc28536f8281c3b58777720c7da

SHA256
f80e7db7d3a06c87f03f5d0a9c7ab592ef05bc4fa5a8ab65c318c8455bd94476

SHA512
45e04f6283559638be00bffaf1a52a52a6998f835d5d40f756806a2323623074cb7ee9f802f4eba7d7523ccf3170f8986f89349ffbc1f2514ce25fdae0114fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_INFOR~1.TXT
MD5
52108477a0afc90a07b1579157943dea

SHA1
e9a1971ef121f37667064004daed23b5b413d225

SHA256
ad43c5edb230f8747985fa02397bd7007b43caa66da1a95e17cd52230c1ba247

SHA512
5ef5f8621c1c6ce6ef6897a031b3d4c41c549ed22ab0f5856c81717b94257748bb6354fd469adaddaac67e481cb86b5297de0a90597cfb9c367af44e4ed45a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_SCREE~1.JPE
MD5
5204c15d08649dc778ffef238c39bc2c

SHA1
f059bc76dab5631845be823103379758b1025bcc

SHA256
74989b21780d0285d08008211c313896bad11c9ee5d903c1a8b5cdbe33d6907a

SHA512
be20c544c7e1e6bc2e551f7760f08516a8b5f779c32f44e25715eb539b96ce4beaa3e2876f25592e67615b89270b6b9b511fea53d24700530393d58dc46d56cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\SCREEN~1.JPG
MD5
5204c15d08649dc778ffef238c39bc2c

SHA1
f059bc76dab5631845be823103379758b1025bcc

SHA256
74989b21780d0285d08008211c313896bad11c9ee5d903c1a8b5cdbe33d6907a

SHA512
be20c544c7e1e6bc2e551f7760f08516a8b5f779c32f44e25715eb539b96ce4beaa3e2876f25592e67615b89270b6b9b511fea53d24700530393d58dc46d56cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\SYSTEM~1.TXT
MD5
52108477a0afc90a07b1579157943dea

SHA1
e9a1971ef121f37667064004daed23b5b413d225

SHA256
ad43c5edb230f8747985fa02397bd7007b43caa66da1a95e17cd52230c1ba247

SHA512
5ef5f8621c1c6ce6ef6897a031b3d4c41c549ed22ab0f5856c81717b94257748bb6354fd469adaddaac67e481cb86b5297de0a90597cfb9c367af44e4ed45a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\_Chrome\DEFAUL~1.BIN
MD5
09500b419541e759ce53d87e324fe8fc

SHA1
4b882732508d2fc28536f8281c3b58777720c7da

SHA256
f80e7db7d3a06c87f03f5d0a9c7ab592ef05bc4fa5a8ab65c318c8455bd94476

SHA512
45e04f6283559638be00bffaf1a52a52a6998f835d5d40f756806a2323623074cb7ee9f802f4eba7d7523ccf3170f8986f89349ffbc1f2514ce25fdae0114fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
memory/752-115-0x00000000000A0000-0x0000000000793000-memory.dmp

Filesize
6.9MB

Download
memory/752-119-0x0000000077CF0000-0x0000000077E7E000-memory.dmp

Filesize
1.6MB

Download
memory/752-117-0x00000000000A0000-0x0000000000793000-memory.dmp

Filesize
6.9MB

Download
memory/752-118-0x00000000000A0000-0x0000000000793000-memory.dmp

Filesize
6.9MB

Download
memory/752-116-0x00000000000A0000-0x0000000000793000-memory.dmp

Filesize
6.9MB

Download
memory/956-120-0x0000000000000000-mapping.dmp

Download
memory/1184-135-0x0000000000000000-mapping.dmp

Download