Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19/01/2022, 21:55

General

  • Target

    979d1d97ef97c7ae5737a88e87757ec4.exe

  • Size

    750KB

  • MD5

    979d1d97ef97c7ae5737a88e87757ec4

  • SHA1

    90d243cb67821975da1b13582476779eff5be9a5

  • SHA256

    d6255b4b18e6f07c4708cf6344163dfe3197cf403957bf3085a6a737bb37b038

  • SHA512

    05c60e3714d906ea985a923ebda9e2efca17dfe29bfe9169f8e14f7053dd2871d9fa6bafb1d56919c07041be8841cfba82811ac1868398e2587ca25433727b4f

Malware Config

Extracted

Family

cryptbot

C2

smarew72.top

moriwi07.top

Attributes
  • payload_url

    http://guruzo10.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot Payload 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\979d1d97ef97c7ae5737a88e87757ec4.exe
    "C:\Users\Admin\AppData\Local\Temp\979d1d97ef97c7ae5737a88e87757ec4.exe"
    1⤵
    • Checks processor information in registry
    PID:1320

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1320-55-0x00000000005F0000-0x0000000000689000-memory.dmp

          Filesize

          612KB

        • memory/1320-56-0x0000000074B21000-0x0000000074B23000-memory.dmp

          Filesize

          8KB

        • memory/1320-57-0x00000000004F0000-0x00000000005D1000-memory.dmp

          Filesize

          900KB

        • memory/1320-58-0x0000000000400000-0x00000000004E5000-memory.dmp

          Filesize

          916KB