Malware Analysis Report

2025-04-13 11:32

Sample ID 220625-b28slabfa6
Target 3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f
SHA256 3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f
Tags
cryptbot discovery evasion spyware stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f

Threat Level: Known bad

The file 3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer suricata

CryptBot

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 01:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 01:39

Reported

2022-06-25 01:43

Platform

win7-20220414-en

Max time kernel

188s

Max time network

217s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe"

Signatures

CryptBot

spyware stealer cryptbot

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Sir\Air\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Sir\Air\Setupres.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Sir\Air\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Sir\Air\Setupres.exe C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe N/A
File created C:\Program Files (x86)\Sir\Air\ipras.vbs C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe N/A
File created C:\Program Files (x86)\Sir\Air\Setup.exe C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Sir\Air\Setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Program Files (x86)\Sir\Air\Setupres.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Sir\Air\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 904 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe
PID 904 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe
PID 904 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe
PID 904 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe
PID 904 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe
PID 904 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe
PID 904 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe

"C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe"

C:\Program Files (x86)\Sir\Air\Setup.exe

"C:\Program Files (x86)\Sir\Air\Setup.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Sir\Air\ipras.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Sir\Air\Setupres.exe

"C:\Program Files (x86)\Sir\Air\Setupres.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp

Files

memory/904-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsjCCA4.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Program Files (x86)\Sir\Air\Setup.exe

MD5 41af7998ebb519e0a0ca9635a865be5d
SHA1 68a7613a8d4483efb67f3794c245420e0daf2f95
SHA256 f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
SHA512 31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb

memory/972-57-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Sir\Air\Setup.exe

MD5 41af7998ebb519e0a0ca9635a865be5d
SHA1 68a7613a8d4483efb67f3794c245420e0daf2f95
SHA256 f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
SHA512 31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb

\Users\Admin\AppData\Local\Temp\nsjCCA4.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

\Program Files (x86)\Sir\Air\Setup.exe

MD5 41af7998ebb519e0a0ca9635a865be5d
SHA1 68a7613a8d4483efb67f3794c245420e0daf2f95
SHA256 f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
SHA512 31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb

C:\Program Files (x86)\Sir\Air\Setup.exe

MD5 41af7998ebb519e0a0ca9635a865be5d
SHA1 68a7613a8d4483efb67f3794c245420e0daf2f95
SHA256 f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
SHA512 31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb

\Program Files (x86)\Sir\Air\Setup.exe

MD5 41af7998ebb519e0a0ca9635a865be5d
SHA1 68a7613a8d4483efb67f3794c245420e0daf2f95
SHA256 f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
SHA512 31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb

memory/1772-64-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Sir\Air\ipras.vbs

MD5 b802ff9244875f69db2fae0f78e92b10
SHA1 49385a89cd575894a29fbda969b99cc1f5cf8076
SHA256 a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512 609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

memory/904-67-0x0000000002830000-0x0000000002D4B000-memory.dmp

memory/972-68-0x00000000012C0000-0x00000000017DB000-memory.dmp

memory/972-69-0x0000000000DA0000-0x00000000012BB000-memory.dmp

memory/972-70-0x0000000000DA0000-0x00000000012BB000-memory.dmp

memory/972-71-0x0000000073721000-0x0000000073723000-memory.dmp

memory/972-72-0x0000000076F70000-0x00000000770F0000-memory.dmp

memory/972-73-0x00000000012C0000-0x00000000017DB000-memory.dmp

memory/972-74-0x0000000073211000-0x0000000073213000-memory.dmp

memory/972-81-0x00000000012C0000-0x00000000017DB000-memory.dmp

memory/972-82-0x00000000012C0000-0x00000000017DB000-memory.dmp

memory/972-83-0x00000000730A1000-0x00000000730A3000-memory.dmp

\Program Files (x86)\Sir\Air\Setupres.exe

MD5 b00f36abdbc0edb4729ae72ed388e965
SHA1 a1bf243bda51006cf4c8b9ee1fdcffb206058973
SHA256 5e64432c3afc95cfda49aa9479fd66efb8d7ef9812a2acb3fa9a0f536a2e5db9
SHA512 8dd8e5d9d6ad4a5515ae178f27e4878ddab3b8cf8786177cac91719517a959fba30cc7d93eb0eff9d1d71d097dbbdf07684fd8b077e144927079db8b8d1f5bb3

memory/2024-85-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Sir\Air\Setupres.exe

MD5 b00f36abdbc0edb4729ae72ed388e965
SHA1 a1bf243bda51006cf4c8b9ee1fdcffb206058973
SHA256 5e64432c3afc95cfda49aa9479fd66efb8d7ef9812a2acb3fa9a0f536a2e5db9
SHA512 8dd8e5d9d6ad4a5515ae178f27e4878ddab3b8cf8786177cac91719517a959fba30cc7d93eb0eff9d1d71d097dbbdf07684fd8b077e144927079db8b8d1f5bb3

\Program Files (x86)\Sir\Air\Setupres.exe

MD5 b00f36abdbc0edb4729ae72ed388e965
SHA1 a1bf243bda51006cf4c8b9ee1fdcffb206058973
SHA256 5e64432c3afc95cfda49aa9479fd66efb8d7ef9812a2acb3fa9a0f536a2e5db9
SHA512 8dd8e5d9d6ad4a5515ae178f27e4878ddab3b8cf8786177cac91719517a959fba30cc7d93eb0eff9d1d71d097dbbdf07684fd8b077e144927079db8b8d1f5bb3

\Program Files (x86)\Sir\Air\Setupres.exe

MD5 b00f36abdbc0edb4729ae72ed388e965
SHA1 a1bf243bda51006cf4c8b9ee1fdcffb206058973
SHA256 5e64432c3afc95cfda49aa9479fd66efb8d7ef9812a2acb3fa9a0f536a2e5db9
SHA512 8dd8e5d9d6ad4a5515ae178f27e4878ddab3b8cf8786177cac91719517a959fba30cc7d93eb0eff9d1d71d097dbbdf07684fd8b077e144927079db8b8d1f5bb3

C:\Program Files (x86)\Sir\Air\Setupres.exe

MD5 b00f36abdbc0edb4729ae72ed388e965
SHA1 a1bf243bda51006cf4c8b9ee1fdcffb206058973
SHA256 5e64432c3afc95cfda49aa9479fd66efb8d7ef9812a2acb3fa9a0f536a2e5db9
SHA512 8dd8e5d9d6ad4a5515ae178f27e4878ddab3b8cf8786177cac91719517a959fba30cc7d93eb0eff9d1d71d097dbbdf07684fd8b077e144927079db8b8d1f5bb3

memory/904-91-0x0000000002830000-0x0000000002D4E000-memory.dmp

memory/2024-92-0x0000000000400000-0x000000000091E000-memory.dmp

memory/2024-93-0x0000000001580000-0x0000000001A9E000-memory.dmp

memory/2024-94-0x0000000076F70000-0x00000000770F0000-memory.dmp

memory/2024-95-0x0000000000400000-0x000000000091E000-memory.dmp

memory/904-96-0x0000000002830000-0x0000000002D4E000-memory.dmp

memory/2024-97-0x0000000000400000-0x000000000091E000-memory.dmp

memory/2024-98-0x0000000001580000-0x0000000001A9E000-memory.dmp

memory/2024-99-0x0000000076F70000-0x00000000770F0000-memory.dmp

memory/2024-100-0x0000000000400000-0x000000000091E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 01:39

Reported

2022-06-25 01:43

Platform

win10v2004-20220414-en

Max time kernel

164s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A
N/A N/A C:\Windows\SysWOW64\CScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Sir\Air\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Sir\Air\Setupres.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Sir\Air\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Sir\Air\Setup.exe C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe N/A
File created C:\Program Files (x86)\Sir\Air\Setupres.exe C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe N/A
File created C:\Program Files (x86)\Sir\Air\ipras.vbs C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Sir\Air\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Sir\Air\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Sir\Air\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Sir\Air\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Sir\Air\Setupres.exe N/A
N/A N/A C:\Program Files (x86)\Sir\Air\Setupres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 2104 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 2104 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setup.exe
PID 2104 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 2104 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 2104 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Windows\SysWOW64\CScript.exe
PID 2104 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe
PID 2104 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe
PID 2104 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe C:\Program Files (x86)\Sir\Air\Setupres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe

"C:\Users\Admin\AppData\Local\Temp\3fb79cd293ce64dcfd20d84df6db2d3c67869cde656bcbad684bb773f76c298f.exe"

C:\Program Files (x86)\Sir\Air\Setup.exe

"C:\Program Files (x86)\Sir\Air\Setup.exe"

C:\Windows\SysWOW64\CScript.exe

"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Sir\Air\ipras.vbs" //e:vbscript //B //NOLOGO

C:\Program Files (x86)\Sir\Air\Setupres.exe

"C:\Program Files (x86)\Sir\Air\Setupres.exe"

Network

Country Destination Domain Proto
US 52.109.8.20:443 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
IE 13.69.239.72:443 tcp
US 8.8.8.8:53 cede04.info udp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp
US 8.8.8.8:53 cede04.info udp

Files

C:\Users\Admin\AppData\Local\Temp\nslCA1C.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

memory/3408-131-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Sir\Air\Setup.exe

MD5 41af7998ebb519e0a0ca9635a865be5d
SHA1 68a7613a8d4483efb67f3794c245420e0daf2f95
SHA256 f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
SHA512 31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb

C:\Program Files (x86)\Sir\Air\Setup.exe

MD5 41af7998ebb519e0a0ca9635a865be5d
SHA1 68a7613a8d4483efb67f3794c245420e0daf2f95
SHA256 f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
SHA512 31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb

C:\Users\Admin\AppData\Local\Temp\nslCA1C.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

memory/3408-136-0x0000000000B30000-0x000000000104B000-memory.dmp

memory/3744-135-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Sir\Air\ipras.vbs

MD5 b802ff9244875f69db2fae0f78e92b10
SHA1 49385a89cd575894a29fbda969b99cc1f5cf8076
SHA256 a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512 609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

memory/3408-138-0x00000000776B0000-0x0000000077853000-memory.dmp

memory/3408-139-0x0000000000B30000-0x000000000104B000-memory.dmp

memory/3408-140-0x00000000776B0000-0x0000000077853000-memory.dmp

memory/3408-141-0x0000000000B30000-0x000000000104B000-memory.dmp

memory/3080-142-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Sir\Air\Setupres.exe

MD5 b00f36abdbc0edb4729ae72ed388e965
SHA1 a1bf243bda51006cf4c8b9ee1fdcffb206058973
SHA256 5e64432c3afc95cfda49aa9479fd66efb8d7ef9812a2acb3fa9a0f536a2e5db9
SHA512 8dd8e5d9d6ad4a5515ae178f27e4878ddab3b8cf8786177cac91719517a959fba30cc7d93eb0eff9d1d71d097dbbdf07684fd8b077e144927079db8b8d1f5bb3

memory/3080-144-0x0000000000400000-0x000000000091E000-memory.dmp

memory/3080-145-0x00000000776B0000-0x0000000077853000-memory.dmp

memory/3080-146-0x0000000000400000-0x000000000091E000-memory.dmp

memory/3080-147-0x0000000000400000-0x000000000091E000-memory.dmp

memory/3080-148-0x0000000000400000-0x000000000091E000-memory.dmp