Malware Analysis Report

2025-04-13 11:32

Sample ID 220624-2vf24safg8
Target d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d
SHA256 d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d
Tags
cryptbot discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d

Threat Level: Known bad

The file d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-24 22:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-24 22:53

Reported

2022-06-24 23:02

Platform

win7-20220414-en

Max time kernel

149s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Wine C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Wine C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Ivp\bin\Two.vbs C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe N/A
File created C:\Program Files (x86)\Ivp\bin\setup.exe C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe N/A
File created C:\Program Files (x86)\Ivp\bin\looo.exe C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 284 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 284 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 284 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 284 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 284 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 284 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 284 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 284 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 284 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 284 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 284 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 284 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 284 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 284 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 284 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 284 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 284 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 284 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 284 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 284 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 284 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe

"C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe"

C:\Program Files (x86)\Ivp\bin\setup.exe

"C:\Program Files (x86)\Ivp\bin\setup.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ivp\bin\Two.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Ivp\bin\looo.exe

"C:\Program Files (x86)\Ivp\bin\looo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 verf01.top udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 jload05.xyz udp

Files

memory/284-54-0x0000000076431000-0x0000000076433000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy3A25.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Program Files (x86)\Ivp\bin\setup.exe

MD5 e3bd0bd352761ec4519226b2f1a99741
SHA1 7fb5b0edd93b0fc1b81ece790196cb8e3199dbb0
SHA256 f202795b0ac5d3b56baccd451ab5c43b4db104c5332eafadf8efbc5ad297b3c8
SHA512 3c0dc2495bbc57477b8db071c024fb940dfe7030aba86c9d5fc2f53a80b19b58d52a0309ea662eda98b8f58000cd4efef83840534c5aaaa3f819d7629d3c8cb0

memory/284-57-0x00000000026B0000-0x0000000002BAD000-memory.dmp

C:\Program Files (x86)\Ivp\bin\setup.exe

MD5 e3bd0bd352761ec4519226b2f1a99741
SHA1 7fb5b0edd93b0fc1b81ece790196cb8e3199dbb0
SHA256 f202795b0ac5d3b56baccd451ab5c43b4db104c5332eafadf8efbc5ad297b3c8
SHA512 3c0dc2495bbc57477b8db071c024fb940dfe7030aba86c9d5fc2f53a80b19b58d52a0309ea662eda98b8f58000cd4efef83840534c5aaaa3f819d7629d3c8cb0

memory/960-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\nsy3A25.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

memory/1348-61-0x0000000000000000-mapping.dmp

\Program Files (x86)\Ivp\bin\setup.exe

MD5 e3bd0bd352761ec4519226b2f1a99741
SHA1 7fb5b0edd93b0fc1b81ece790196cb8e3199dbb0
SHA256 f202795b0ac5d3b56baccd451ab5c43b4db104c5332eafadf8efbc5ad297b3c8
SHA512 3c0dc2495bbc57477b8db071c024fb940dfe7030aba86c9d5fc2f53a80b19b58d52a0309ea662eda98b8f58000cd4efef83840534c5aaaa3f819d7629d3c8cb0

\Program Files (x86)\Ivp\bin\setup.exe

MD5 e3bd0bd352761ec4519226b2f1a99741
SHA1 7fb5b0edd93b0fc1b81ece790196cb8e3199dbb0
SHA256 f202795b0ac5d3b56baccd451ab5c43b4db104c5332eafadf8efbc5ad297b3c8
SHA512 3c0dc2495bbc57477b8db071c024fb940dfe7030aba86c9d5fc2f53a80b19b58d52a0309ea662eda98b8f58000cd4efef83840534c5aaaa3f819d7629d3c8cb0

C:\Program Files (x86)\Ivp\bin\setup.exe

MD5 e3bd0bd352761ec4519226b2f1a99741
SHA1 7fb5b0edd93b0fc1b81ece790196cb8e3199dbb0
SHA256 f202795b0ac5d3b56baccd451ab5c43b4db104c5332eafadf8efbc5ad297b3c8
SHA512 3c0dc2495bbc57477b8db071c024fb940dfe7030aba86c9d5fc2f53a80b19b58d52a0309ea662eda98b8f58000cd4efef83840534c5aaaa3f819d7629d3c8cb0

C:\Program Files (x86)\Ivp\bin\Two.vbs

MD5 c6362e3c5585f24a9e9a2712c00c52ff
SHA1 9259b9609313386f004328d2c306820eae01a587
SHA256 184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA512 59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa

memory/960-68-0x0000000000190000-0x000000000068D000-memory.dmp

memory/960-70-0x00000000011C0000-0x00000000016BD000-memory.dmp

memory/960-69-0x00000000011C0000-0x00000000016BD000-memory.dmp

memory/960-71-0x0000000073C21000-0x0000000073C23000-memory.dmp

memory/960-72-0x0000000077480000-0x0000000077600000-memory.dmp

memory/960-73-0x0000000000190000-0x000000000068D000-memory.dmp

memory/960-74-0x0000000073721000-0x0000000073723000-memory.dmp

memory/960-83-0x0000000000190000-0x000000000068D000-memory.dmp

memory/960-84-0x00000000735B1000-0x00000000735B3000-memory.dmp

memory/960-85-0x00000000011C0000-0x00000000016BD000-memory.dmp

memory/960-86-0x0000000077480000-0x0000000077600000-memory.dmp

memory/960-87-0x0000000000190000-0x000000000068D000-memory.dmp

\Program Files (x86)\Ivp\bin\looo.exe

MD5 1020f1ede8ee26e04d02d27d89f49806
SHA1 d87a93388d831d00bf73bdd5070459d9e93fc1de
SHA256 6bc6667519c0417b064ac6b0cefc19e6a1fe7ba8394d42e5b7deef878411c2fa
SHA512 cda1c4c82dc25a7610ff082520417061c734a36459f01a871b6f57396383a63d109cc301591f759fd3cffdb1af00deef2440d6de823f7d7d1ea893f9a3f9a319

memory/684-89-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ivp\bin\looo.exe

MD5 1020f1ede8ee26e04d02d27d89f49806
SHA1 d87a93388d831d00bf73bdd5070459d9e93fc1de
SHA256 6bc6667519c0417b064ac6b0cefc19e6a1fe7ba8394d42e5b7deef878411c2fa
SHA512 cda1c4c82dc25a7610ff082520417061c734a36459f01a871b6f57396383a63d109cc301591f759fd3cffdb1af00deef2440d6de823f7d7d1ea893f9a3f9a319

C:\Program Files (x86)\Ivp\bin\looo.exe

MD5 1020f1ede8ee26e04d02d27d89f49806
SHA1 d87a93388d831d00bf73bdd5070459d9e93fc1de
SHA256 6bc6667519c0417b064ac6b0cefc19e6a1fe7ba8394d42e5b7deef878411c2fa
SHA512 cda1c4c82dc25a7610ff082520417061c734a36459f01a871b6f57396383a63d109cc301591f759fd3cffdb1af00deef2440d6de823f7d7d1ea893f9a3f9a319

\Program Files (x86)\Ivp\bin\looo.exe

MD5 1020f1ede8ee26e04d02d27d89f49806
SHA1 d87a93388d831d00bf73bdd5070459d9e93fc1de
SHA256 6bc6667519c0417b064ac6b0cefc19e6a1fe7ba8394d42e5b7deef878411c2fa
SHA512 cda1c4c82dc25a7610ff082520417061c734a36459f01a871b6f57396383a63d109cc301591f759fd3cffdb1af00deef2440d6de823f7d7d1ea893f9a3f9a319

\Program Files (x86)\Ivp\bin\looo.exe

MD5 1020f1ede8ee26e04d02d27d89f49806
SHA1 d87a93388d831d00bf73bdd5070459d9e93fc1de
SHA256 6bc6667519c0417b064ac6b0cefc19e6a1fe7ba8394d42e5b7deef878411c2fa
SHA512 cda1c4c82dc25a7610ff082520417061c734a36459f01a871b6f57396383a63d109cc301591f759fd3cffdb1af00deef2440d6de823f7d7d1ea893f9a3f9a319

memory/284-95-0x0000000002730000-0x0000000002C55000-memory.dmp

memory/684-96-0x0000000000400000-0x0000000000925000-memory.dmp

memory/684-97-0x00000000012C0000-0x00000000017E5000-memory.dmp

memory/684-98-0x00000000012C0000-0x00000000017E5000-memory.dmp

memory/684-99-0x0000000077480000-0x0000000077600000-memory.dmp

memory/684-100-0x0000000000400000-0x0000000000925000-memory.dmp

memory/284-101-0x0000000002730000-0x0000000002C55000-memory.dmp

memory/684-102-0x0000000000400000-0x0000000000925000-memory.dmp

memory/684-103-0x00000000012C0000-0x00000000017E5000-memory.dmp

memory/684-104-0x0000000077480000-0x0000000077600000-memory.dmp

memory/684-105-0x0000000000400000-0x0000000000925000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-24 22:53

Reported

2022-06-24 23:02

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Ivp\bin\looo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Ivp\bin\looo.exe C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe N/A
File created C:\Program Files (x86)\Ivp\bin\Two.vbs C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe N/A
File created C:\Program Files (x86)\Ivp\bin\setup.exe C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Ivp\bin\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Ivp\bin\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\setup.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A
N/A N/A C:\Program Files (x86)\Ivp\bin\looo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 3512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 3512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\setup.exe
PID 3512 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 3512 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 3512 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Windows\SysWOW64\CScript.exe
PID 3512 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 3512 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe
PID 3512 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe C:\Program Files (x86)\Ivp\bin\looo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe

"C:\Users\Admin\AppData\Local\Temp\d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d.exe"

C:\Program Files (x86)\Ivp\bin\setup.exe

"C:\Program Files (x86)\Ivp\bin\setup.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ivp\bin\Two.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Ivp\bin\looo.exe

"C:\Program Files (x86)\Ivp\bin\looo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 20.42.65.88:443 tcp
US 8.8.8.8:53 verf01.top udp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 52.109.8.21:443 tcp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 jload05.xyz udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp
US 8.8.8.8:53 verf01.top udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq980F.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

memory/960-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nsq980F.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

C:\Program Files (x86)\Ivp\bin\setup.exe

MD5 e3bd0bd352761ec4519226b2f1a99741
SHA1 7fb5b0edd93b0fc1b81ece790196cb8e3199dbb0
SHA256 f202795b0ac5d3b56baccd451ab5c43b4db104c5332eafadf8efbc5ad297b3c8
SHA512 3c0dc2495bbc57477b8db071c024fb940dfe7030aba86c9d5fc2f53a80b19b58d52a0309ea662eda98b8f58000cd4efef83840534c5aaaa3f819d7629d3c8cb0

memory/5056-135-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ivp\bin\setup.exe

MD5 e3bd0bd352761ec4519226b2f1a99741
SHA1 7fb5b0edd93b0fc1b81ece790196cb8e3199dbb0
SHA256 f202795b0ac5d3b56baccd451ab5c43b4db104c5332eafadf8efbc5ad297b3c8
SHA512 3c0dc2495bbc57477b8db071c024fb940dfe7030aba86c9d5fc2f53a80b19b58d52a0309ea662eda98b8f58000cd4efef83840534c5aaaa3f819d7629d3c8cb0

C:\Program Files (x86)\Ivp\bin\Two.vbs

MD5 c6362e3c5585f24a9e9a2712c00c52ff
SHA1 9259b9609313386f004328d2c306820eae01a587
SHA256 184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA512 59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa

memory/960-137-0x00000000007D0000-0x0000000000CCD000-memory.dmp

memory/960-138-0x0000000077BD0000-0x0000000077D73000-memory.dmp

memory/960-139-0x00000000007D0000-0x0000000000CCD000-memory.dmp

memory/960-140-0x00000000007D0000-0x0000000000CCD000-memory.dmp

memory/960-141-0x0000000077BD0000-0x0000000077D73000-memory.dmp

memory/2232-142-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ivp\bin\looo.exe

MD5 1020f1ede8ee26e04d02d27d89f49806
SHA1 d87a93388d831d00bf73bdd5070459d9e93fc1de
SHA256 6bc6667519c0417b064ac6b0cefc19e6a1fe7ba8394d42e5b7deef878411c2fa
SHA512 cda1c4c82dc25a7610ff082520417061c734a36459f01a871b6f57396383a63d109cc301591f759fd3cffdb1af00deef2440d6de823f7d7d1ea893f9a3f9a319

memory/2232-144-0x0000000000400000-0x0000000000925000-memory.dmp

memory/2232-145-0x0000000077BD0000-0x0000000077D73000-memory.dmp

memory/2232-146-0x0000000000400000-0x0000000000925000-memory.dmp

memory/2232-147-0x0000000000400000-0x0000000000925000-memory.dmp

memory/2232-148-0x0000000077BD0000-0x0000000077D73000-memory.dmp

memory/2232-149-0x0000000000400000-0x0000000000925000-memory.dmp