Malware Analysis Report

2025-04-13 11:32

Sample ID 220622-n3ay6sdfdj
Target 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee
SHA256 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee
Tags
discovery evasion spyware stealer cryptbot
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee

Threat Level: Known bad

The file 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee was found to be: Known bad.

Malicious Activity Summary

discovery evasion spyware stealer cryptbot

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Identifies Wine through registry keys

Checks BIOS information in registry

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-22 11:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-22 11:54

Reported

2022-06-22 12:22

Platform

win7-20220414-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Ivp\bin\Two.vbs C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe N/A
File created C:\Program Files (x86)\Ivp\bin\setup.exe C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe N/A
File created C:\Program Files (x86)\Ivp\bin\looo.exe C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 1964 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 1964 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 1964 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 1964 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 1964 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 1964 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 1964 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 1964 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 1964 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 1964 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 1964 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 1964 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 1964 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 1964 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 1964 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 1964 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 1964 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 1964 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 1964 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 1964 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe

"C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe"

C:\Program Files (x86)\Ivp\bin\setup.exe

"C:\Program Files (x86)\Ivp\bin\setup.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ivp\bin\Two.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Ivp\bin\looo.exe

"C:\Program Files (x86)\Ivp\bin\looo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 jload05.xyz udp

Files

memory/1964-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst765A.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Program Files (x86)\Ivp\bin\setup.exe

MD5 fe84f8c12d844ea18a189161d89c29f5
SHA1 d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA256 4daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA512 3dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0

C:\Program Files (x86)\Ivp\bin\setup.exe

MD5 fe84f8c12d844ea18a189161d89c29f5
SHA1 d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA256 4daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA512 3dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0

memory/1016-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\nst765A.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

memory/1808-61-0x0000000000000000-mapping.dmp

\Program Files (x86)\Ivp\bin\setup.exe

MD5 fe84f8c12d844ea18a189161d89c29f5
SHA1 d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA256 4daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA512 3dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0

\Program Files (x86)\Ivp\bin\setup.exe

MD5 fe84f8c12d844ea18a189161d89c29f5
SHA1 d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA256 4daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA512 3dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0

C:\Program Files (x86)\Ivp\bin\setup.exe

MD5 fe84f8c12d844ea18a189161d89c29f5
SHA1 d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA256 4daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA512 3dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0

memory/1016-66-0x0000000000D70000-0x0000000001293000-memory.dmp

memory/1964-65-0x00000000027B0000-0x0000000002CD3000-memory.dmp

memory/1016-67-0x00000000012A0000-0x00000000017C3000-memory.dmp

memory/1016-68-0x00000000012A0000-0x00000000017C3000-memory.dmp

C:\Program Files (x86)\Ivp\bin\Two.vbs

MD5 c6362e3c5585f24a9e9a2712c00c52ff
SHA1 9259b9609313386f004328d2c306820eae01a587
SHA256 184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA512 59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa

memory/1016-71-0x0000000077450000-0x00000000775D0000-memory.dmp

memory/1016-72-0x0000000000D70000-0x0000000001293000-memory.dmp

memory/1016-73-0x0000000073C01000-0x0000000073C03000-memory.dmp

memory/1016-74-0x0000000073701000-0x0000000073703000-memory.dmp

memory/1016-79-0x0000000073B81000-0x0000000073B83000-memory.dmp

\Program Files (x86)\Ivp\bin\looo.exe

MD5 e1e49175b2c2cab149e99146aba86db8
SHA1 69baac79a2bd1883284ef7126a0d0fb95a838505
SHA256 7a0c0d41d3e0d0b925ad10d3e094c8d2f695d91cf2d70e6a2404adfcb0adf000
SHA512 8cb304d5a81182b8bbe94fcb477996398c4a53818e17b2fac56fb2076cf5873f2faa4f2f4ad22bc90109891edf0b430937055432ede503a2f137ace0dbed306e

memory/1188-81-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ivp\bin\looo.exe

MD5 e1e49175b2c2cab149e99146aba86db8
SHA1 69baac79a2bd1883284ef7126a0d0fb95a838505
SHA256 7a0c0d41d3e0d0b925ad10d3e094c8d2f695d91cf2d70e6a2404adfcb0adf000
SHA512 8cb304d5a81182b8bbe94fcb477996398c4a53818e17b2fac56fb2076cf5873f2faa4f2f4ad22bc90109891edf0b430937055432ede503a2f137ace0dbed306e

\Program Files (x86)\Ivp\bin\looo.exe

MD5 e1e49175b2c2cab149e99146aba86db8
SHA1 69baac79a2bd1883284ef7126a0d0fb95a838505
SHA256 7a0c0d41d3e0d0b925ad10d3e094c8d2f695d91cf2d70e6a2404adfcb0adf000
SHA512 8cb304d5a81182b8bbe94fcb477996398c4a53818e17b2fac56fb2076cf5873f2faa4f2f4ad22bc90109891edf0b430937055432ede503a2f137ace0dbed306e

memory/1016-87-0x00000000740D1000-0x00000000740D3000-memory.dmp

\Program Files (x86)\Ivp\bin\looo.exe

MD5 e1e49175b2c2cab149e99146aba86db8
SHA1 69baac79a2bd1883284ef7126a0d0fb95a838505
SHA256 7a0c0d41d3e0d0b925ad10d3e094c8d2f695d91cf2d70e6a2404adfcb0adf000
SHA512 8cb304d5a81182b8bbe94fcb477996398c4a53818e17b2fac56fb2076cf5873f2faa4f2f4ad22bc90109891edf0b430937055432ede503a2f137ace0dbed306e

C:\Program Files (x86)\Ivp\bin\looo.exe

MD5 e1e49175b2c2cab149e99146aba86db8
SHA1 69baac79a2bd1883284ef7126a0d0fb95a838505
SHA256 7a0c0d41d3e0d0b925ad10d3e094c8d2f695d91cf2d70e6a2404adfcb0adf000
SHA512 8cb304d5a81182b8bbe94fcb477996398c4a53818e17b2fac56fb2076cf5873f2faa4f2f4ad22bc90109891edf0b430937055432ede503a2f137ace0dbed306e

memory/1964-88-0x0000000002830000-0x0000000002D33000-memory.dmp

memory/1188-89-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1188-90-0x00000000013A0000-0x00000000018A3000-memory.dmp

memory/1188-92-0x00000000013A0000-0x00000000018A3000-memory.dmp

memory/1188-94-0x0000000077450000-0x00000000775D0000-memory.dmp

memory/1188-95-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1016-97-0x0000000000D70000-0x0000000001293000-memory.dmp

memory/1016-98-0x00000000012A0000-0x00000000017C3000-memory.dmp

memory/1016-99-0x0000000000D70000-0x0000000001293000-memory.dmp

memory/1964-100-0x0000000002830000-0x0000000002D33000-memory.dmp

memory/1188-101-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1188-102-0x00000000013A0000-0x00000000018A3000-memory.dmp

memory/1188-103-0x0000000077450000-0x00000000775D0000-memory.dmp

memory/1188-104-0x0000000000400000-0x0000000000903000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-22 11:54

Reported

2022-06-22 12:21

Platform

win10v2004-20220414-en

Max time kernel

185s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Ivp\bin\setup.exe C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe N/A
File created C:\Program Files (x86)\Ivp\bin\looo.exe C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe N/A
File created C:\Program Files (x86)\Ivp\bin\Two.vbs C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 2964 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 2964 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 2964 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 2964 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 2964 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Windows\SysWOW64\CScript.exe
PID 2964 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 2964 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 2964 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe C:\Program Files (x86)\Ivp\bin\looo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe

"C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe"

C:\Program Files (x86)\Ivp\bin\setup.exe

"C:\Program Files (x86)\Ivp\bin\setup.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ivp\bin\Two.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Ivp\bin\looo.exe

"C:\Program Files (x86)\Ivp\bin\looo.exe"

Network

Country Destination Domain Proto
US 52.109.8.20:443 tcp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 88.221.144.179:80 tcp
US 8.8.8.8:53 verf01.top udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 jload05.xyz udp
US 8.8.8.8:53 verf01.top udp
FR 2.22.147.67:80 tcp
US 8.8.8.8:53 verf01.top udp

Files

C:\Users\Admin\AppData\Local\Temp\nsz1176.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Program Files (x86)\Ivp\bin\setup.exe

MD5 fe84f8c12d844ea18a189161d89c29f5
SHA1 d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA256 4daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA512 3dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0

memory/4424-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nsz1176.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

memory/4872-135-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ivp\bin\setup.exe

MD5 fe84f8c12d844ea18a189161d89c29f5
SHA1 d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA256 4daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA512 3dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0

C:\Program Files (x86)\Ivp\bin\Two.vbs

MD5 c6362e3c5585f24a9e9a2712c00c52ff
SHA1 9259b9609313386f004328d2c306820eae01a587
SHA256 184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA512 59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa

memory/4424-137-0x0000000000C50000-0x0000000001173000-memory.dmp

memory/4424-138-0x00000000771E0000-0x0000000077383000-memory.dmp

memory/4424-139-0x0000000000C50000-0x0000000001173000-memory.dmp

memory/4424-140-0x0000000000C50000-0x0000000001173000-memory.dmp

memory/4424-141-0x00000000771E0000-0x0000000077383000-memory.dmp

memory/4424-142-0x0000000000C50000-0x0000000001173000-memory.dmp

memory/1996-143-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ivp\bin\looo.exe

MD5 e1e49175b2c2cab149e99146aba86db8
SHA1 69baac79a2bd1883284ef7126a0d0fb95a838505
SHA256 7a0c0d41d3e0d0b925ad10d3e094c8d2f695d91cf2d70e6a2404adfcb0adf000
SHA512 8cb304d5a81182b8bbe94fcb477996398c4a53818e17b2fac56fb2076cf5873f2faa4f2f4ad22bc90109891edf0b430937055432ede503a2f137ace0dbed306e

memory/1996-145-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1996-146-0x00000000771E0000-0x0000000077383000-memory.dmp

memory/1996-147-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1996-148-0x0000000000400000-0x0000000000903000-memory.dmp

memory/1996-149-0x00000000771E0000-0x0000000077383000-memory.dmp

memory/1996-150-0x0000000000400000-0x0000000000903000-memory.dmp