Malware Analysis Report

2025-06-16 05:18

Sample ID 220117-ed2k6aghdr
Target f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801
SHA256 f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801
Tags
themida cryptbot discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801

Threat Level: Known bad

The file f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801 was found to be: Known bad.

Malicious Activity Summary

themida cryptbot discovery evasion spyware stealer trojan

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-17 03:50

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-17 03:50

Reported

2022-01-17 03:53

Platform

win10-en-20211208

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe

"C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe"

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp
US 8.8.8.8:53 zyoyol62.top udp

Files

memory/3600-115-0x0000000000B30000-0x0000000001218000-memory.dmp

memory/3600-116-0x0000000000B30000-0x0000000001218000-memory.dmp

memory/3600-117-0x0000000000B30000-0x0000000001218000-memory.dmp

memory/3600-118-0x0000000000B30000-0x0000000001218000-memory.dmp

memory/3600-119-0x00000000778D0000-0x0000000077A5E000-memory.dmp