Malware Analysis Report

2025-04-13 11:33

Sample ID 220624-2se22agbcp
Target 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c
SHA256 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c
Tags
cryptbot discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c

Threat Level: Known bad

The file 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Executes dropped EXE

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Identifies Wine through registry keys

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-24 22:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-24 22:50

Reported

2022-06-24 22:55

Platform

win7-20220414-en

Max time kernel

149s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Doper\Download.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Doper\Download.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Doper\Download.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Doper\Download.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine C:\Program Files (x86)\Doper\Download.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Doper\Download.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Doper\Download.exe C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe N/A
File created C:\Program Files (x86)\Doper\ipras.vbs C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe N/A
File created C:\Program Files (x86)\Doper\DowloadX.exe C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Doper\Download.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Doper\Download.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Doper\Download.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Windows\SysWOW64\CScript.exe
PID 1016 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Windows\SysWOW64\CScript.exe
PID 1016 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Windows\SysWOW64\CScript.exe
PID 1016 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Windows\SysWOW64\CScript.exe
PID 1016 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Windows\SysWOW64\CScript.exe
PID 1016 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Windows\SysWOW64\CScript.exe
PID 1016 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Windows\SysWOW64\CScript.exe
PID 1016 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Program Files (x86)\Doper\Download.exe
PID 1016 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Program Files (x86)\Doper\Download.exe
PID 1016 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Program Files (x86)\Doper\Download.exe
PID 1016 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Program Files (x86)\Doper\Download.exe
PID 1016 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Program Files (x86)\Doper\Download.exe
PID 1016 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Program Files (x86)\Doper\Download.exe
PID 1016 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe C:\Program Files (x86)\Doper\Download.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe

"C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Doper\ipras.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Doper\Download.exe

"C:\Program Files (x86)\Doper\Download.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cede01.info udp

Files

memory/1016-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst6808.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nst6808.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

memory/2020-57-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Doper\ipras.vbs

MD5 b802ff9244875f69db2fae0f78e92b10
SHA1 49385a89cd575894a29fbda969b99cc1f5cf8076
SHA256 a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512 609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

\Program Files (x86)\Doper\Download.exe

MD5 b8312084a400862a2c19797691c6f0a6
SHA1 d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA256 9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512 beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce

memory/436-61-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Doper\Download.exe

MD5 b8312084a400862a2c19797691c6f0a6
SHA1 d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA256 9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512 beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce

\Program Files (x86)\Doper\Download.exe

MD5 b8312084a400862a2c19797691c6f0a6
SHA1 d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA256 9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512 beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce

\Program Files (x86)\Doper\Download.exe

MD5 b8312084a400862a2c19797691c6f0a6
SHA1 d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA256 9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512 beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce

C:\Program Files (x86)\Doper\Download.exe

MD5 b8312084a400862a2c19797691c6f0a6
SHA1 d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA256 9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512 beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce

memory/1016-67-0x00000000027B0000-0x0000000002CDC000-memory.dmp

memory/436-68-0x0000000000870000-0x0000000000D9C000-memory.dmp

memory/436-69-0x0000000001190000-0x00000000016BC000-memory.dmp

memory/436-70-0x0000000001190000-0x00000000016BC000-memory.dmp

memory/436-71-0x0000000074511000-0x0000000074513000-memory.dmp

memory/436-72-0x00000000778B0000-0x0000000077A30000-memory.dmp

memory/436-73-0x0000000000870000-0x0000000000D9C000-memory.dmp

memory/436-74-0x0000000074311000-0x0000000074313000-memory.dmp

memory/436-83-0x0000000000870000-0x0000000000D9C000-memory.dmp

memory/436-84-0x0000000000870000-0x0000000000D9C000-memory.dmp

memory/436-85-0x0000000074191000-0x0000000074193000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-24 22:50

Reported

2022-06-24 22:55

Platform

win10v2004-20220414-en

Max time kernel

159s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Doper\Download.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Doper\Download.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Doper\Download.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Doper\Download.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine C:\Program Files (x86)\Doper\Download.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Doper\Download.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Doper\DowloadX.exe C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe N/A
File created C:\Program Files (x86)\Doper\Download.exe C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe N/A
File created C:\Program Files (x86)\Doper\ipras.vbs C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Doper\Download.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Doper\Download.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Doper\Download.exe N/A
N/A N/A C:\Program Files (x86)\Doper\Download.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe

"C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Doper\ipras.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Doper\Download.exe

"C:\Program Files (x86)\Doper\Download.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 20.189.173.6:443 tcp
US 52.109.12.19:443 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cede01.info udp
US 8.8.8.8:53 cede01.info udp
US 8.8.8.8:53 cede01.info udp
US 8.8.8.8:53 cede01.info udp
US 8.8.8.8:53 cede01.info udp
US 8.8.8.8:53 cede01.info udp
US 8.8.8.8:53 cede01.info udp

Files

C:\Users\Admin\AppData\Local\Temp\nsjD324.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsjD324.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

memory/3792-132-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Doper\ipras.vbs

MD5 b802ff9244875f69db2fae0f78e92b10
SHA1 49385a89cd575894a29fbda969b99cc1f5cf8076
SHA256 a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512 609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

memory/4304-134-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Doper\Download.exe

MD5 b8312084a400862a2c19797691c6f0a6
SHA1 d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA256 9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512 beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce

C:\Program Files (x86)\Doper\Download.exe

MD5 b8312084a400862a2c19797691c6f0a6
SHA1 d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA256 9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512 beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce

memory/4304-137-0x0000000000C90000-0x00000000011BC000-memory.dmp

memory/4304-138-0x0000000000C90000-0x00000000011BC000-memory.dmp

memory/4304-139-0x0000000077210000-0x00000000773B3000-memory.dmp

memory/4304-140-0x0000000000C90000-0x00000000011BC000-memory.dmp

memory/4304-141-0x0000000077210000-0x00000000773B3000-memory.dmp

memory/4304-142-0x0000000000C90000-0x00000000011BC000-memory.dmp