Malware Analysis Report

2025-06-16 05:18

Sample ID 220208-xmbefadce9
Target 16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001
SHA256 16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001

Threat Level: Known bad

The file 16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot Payload

CryptBot

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-08 18:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-08 18:57

Reported

2022-02-08 23:01

Platform

win7-en-20211208

Max time kernel

162s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe

"C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leribis04.top udp

Files

memory/800-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

memory/800-55-0x0000000000C20000-0x0000000000C87000-memory.dmp

memory/800-56-0x0000000000C90000-0x0000000000D30000-memory.dmp

memory/800-57-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/800-58-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/800-59-0x0000000074431000-0x0000000074433000-memory.dmp

memory/800-60-0x0000000074181000-0x0000000074183000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-08 18:57

Reported

2022-02-08 23:03

Platform

win10v2004-en-20220113

Max time kernel

184s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe

"C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl3.digicert.com udp
US 93.184.220.29:80 crl3.digicert.com tcp
US 20.189.173.6:443 tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 leribis04.top udp
US 8.8.8.8:53 leribis04.top udp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 leribis04.top udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp

Files

memory/1760-130-0x0000000002950000-0x00000000029B7000-memory.dmp

memory/1760-131-0x0000000000D80000-0x0000000000E20000-memory.dmp

memory/1760-132-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/700-133-0x000001EA00760000-0x000001EA00770000-memory.dmp

memory/700-134-0x000001EA00D20000-0x000001EA00D30000-memory.dmp

memory/700-135-0x000001EA033D0000-0x000001EA033D4000-memory.dmp