Malware Analysis Report

2025-04-13 11:33

Sample ID 220616-cwc96saga5
Target 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165
SHA256 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165
Tags
cryptbot discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165

Threat Level: Known bad

The file 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Identifies Wine through registry keys

Checks BIOS information in registry

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Enumerates system info in registry

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-16 02:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-16 02:25

Reported

2022-06-16 02:41

Platform

win7-20220414-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Newu\City.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Newu\City.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Newu\City.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Newu\City.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine C:\ProgramData\Newu\City.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
N/A N/A C:\ProgramData\Newu\City.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Newu\City.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Newu\City.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
N/A N/A C:\ProgramData\Newu\City.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe

"C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"

C:\ProgramData\Newu\City.exe

C:\ProgramData\Newu\City.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 lqo02.pro udp
US 8.8.8.8:53 kora05.info udp

Files

memory/1624-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

memory/1624-55-0x0000000000400000-0x0000000000B3B000-memory.dmp

memory/1624-56-0x0000000077010000-0x0000000077190000-memory.dmp

\ProgramData\Newu\City.exe

MD5 4e74e3957beb1fbf8f790de6d262a12f
SHA1 1e74a37e218b25e8218af0d68e5d2533d44255dc
SHA256 89120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db
SHA512 c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96

memory/832-58-0x0000000000000000-mapping.dmp

C:\ProgramData\Newu\City.exe

MD5 4e74e3957beb1fbf8f790de6d262a12f
SHA1 1e74a37e218b25e8218af0d68e5d2533d44255dc
SHA256 89120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db
SHA512 c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96

memory/1624-60-0x000000000A7A0000-0x000000000ACF7000-memory.dmp

memory/832-61-0x0000000000860000-0x0000000000DB7000-memory.dmp

memory/832-63-0x0000000074081000-0x0000000074083000-memory.dmp

memory/832-64-0x0000000077010000-0x0000000077190000-memory.dmp

memory/832-65-0x0000000000860000-0x0000000000DB7000-memory.dmp

memory/832-66-0x0000000073D81000-0x0000000073D83000-memory.dmp

memory/1956-69-0x0000000000000000-mapping.dmp

C:\ProgramData\ipras.vbs

MD5 b802ff9244875f69db2fae0f78e92b10
SHA1 49385a89cd575894a29fbda969b99cc1f5cf8076
SHA256 a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512 609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

memory/832-72-0x0000000073AC1000-0x0000000073AC3000-memory.dmp

memory/832-73-0x0000000073901000-0x0000000073903000-memory.dmp

memory/1624-74-0x0000000000400000-0x0000000000B3B000-memory.dmp

memory/832-80-0x0000000073951000-0x0000000073953000-memory.dmp

memory/1624-81-0x000000000A7A0000-0x000000000ACF7000-memory.dmp

memory/832-82-0x0000000000860000-0x0000000000DB7000-memory.dmp

memory/832-83-0x0000000077010000-0x0000000077190000-memory.dmp

memory/832-84-0x0000000000860000-0x0000000000DB7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-16 02:25

Reported

2022-06-16 02:42

Platform

win10v2004-20220414-en

Max time kernel

157s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Newu\City.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Newu\City.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Newu\City.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Newu\City.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine C:\ProgramData\Newu\City.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B541C762-BD3F-4B53-8812-2E662F94E065}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{80D290BA-1542-452F-9561-246829826708}.catalogItem C:\Windows\System32\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A
N/A N/A C:\ProgramData\Newu\City.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Newu\City.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Newu\City.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe

"C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"

C:\ProgramData\Newu\City.exe

C:\ProgramData\Newu\City.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 lqo02.pro udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp
US 8.8.8.8:53 kora05.info udp

Files

memory/4652-130-0x0000000000400000-0x0000000000B3B000-memory.dmp

memory/4652-131-0x0000000077570000-0x0000000077713000-memory.dmp

memory/4652-132-0x0000000000400000-0x0000000000B3B000-memory.dmp

memory/4652-133-0x0000000000400000-0x0000000000B3B000-memory.dmp

memory/4652-134-0x0000000077570000-0x0000000077713000-memory.dmp

memory/4652-135-0x0000000000400000-0x0000000000B3B000-memory.dmp

memory/4844-136-0x0000000000000000-mapping.dmp

C:\ProgramData\Newu\City.exe

MD5 4e74e3957beb1fbf8f790de6d262a12f
SHA1 1e74a37e218b25e8218af0d68e5d2533d44255dc
SHA256 89120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db
SHA512 c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96

C:\ProgramData\Newu\City.exe

MD5 4e74e3957beb1fbf8f790de6d262a12f
SHA1 1e74a37e218b25e8218af0d68e5d2533d44255dc
SHA256 89120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db
SHA512 c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96

memory/4844-139-0x00000000000B0000-0x0000000000607000-memory.dmp

memory/4844-140-0x0000000077570000-0x0000000077713000-memory.dmp

memory/4844-141-0x00000000000B0000-0x0000000000607000-memory.dmp

memory/2396-142-0x0000000000000000-mapping.dmp

C:\ProgramData\ipras.vbs

MD5 b802ff9244875f69db2fae0f78e92b10
SHA1 49385a89cd575894a29fbda969b99cc1f5cf8076
SHA256 a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512 609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

memory/4844-144-0x00000000000B0000-0x0000000000607000-memory.dmp

memory/4844-145-0x0000000077570000-0x0000000077713000-memory.dmp

memory/4844-146-0x00000000000B0000-0x0000000000607000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 ec8ff3b1ded0246437b1472c69dd1811
SHA1 d813e874c2524e3a7da6c466c67854ad16800326
SHA256 e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512 e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 fcd5acbfc30059d2a4ce55c6b35da4b6
SHA1 7c0d1463bd692e2432d426601027c03e7ca14241
SHA256 769cc14dc667140513d0c18e1e2e019fbce0ad4356276305a224c39aae63f8e0
SHA512 f6248ea6ccc4c1d01c05a4d51b4ab31ea474bb7c9d7d747cb7eff31acb2aa5eaec28ba7c96aca70a20fe4a454efbada43dd85b488092e75fad1ba109509768df