Malware Analysis Report

2025-04-13 11:32

Sample ID 220625-b2dbpabef4
Target a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d
SHA256 a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d
Tags
cryptbot discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d

Threat Level: Known bad

The file a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Identifies Wine through registry keys

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 01:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 01:38

Reported

2022-06-25 01:41

Platform

win7-20220414-en

Max time kernel

148s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Cyper\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Cyper\Setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Cyper\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Cyper\Setup.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Wine C:\Program Files (x86)\Cyper\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Cyper\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Cyper\Set.exe C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A
File created C:\Program Files (x86)\Cyper\Setup.exe C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A
File created C:\Program Files (x86)\Cyper\vm_begin.inc C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A
File created C:\Program Files (x86)\Cyper\vm_end.inc C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A
File created C:\Program Files (x86)\Cyper\vm_risc_begin.inc C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Cyper\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Cyper\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Cyper\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe

"C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe"

C:\Program Files (x86)\Cyper\Setup.exe

"C:\Program Files (x86)\Cyper\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 vvz01.pro udp

Files

memory/908-54-0x0000000076531000-0x0000000076533000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj84BC.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Program Files (x86)\Cyper\Setup.exe

MD5 184073024e93d570c71c2e49afc5b26b
SHA1 dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256 cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA512 00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

memory/1736-57-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Cyper\Setup.exe

MD5 184073024e93d570c71c2e49afc5b26b
SHA1 dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256 cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA512 00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

memory/908-60-0x0000000002730000-0x0000000002C82000-memory.dmp

C:\Program Files (x86)\Cyper\Setup.exe

MD5 184073024e93d570c71c2e49afc5b26b
SHA1 dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256 cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA512 00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

memory/1736-61-0x00000000012E0000-0x0000000001832000-memory.dmp

memory/1736-65-0x0000000000C50000-0x00000000011A2000-memory.dmp

\Program Files (x86)\Cyper\Setup.exe

MD5 184073024e93d570c71c2e49afc5b26b
SHA1 dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256 cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA512 00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

\Program Files (x86)\Cyper\Setup.exe

MD5 184073024e93d570c71c2e49afc5b26b
SHA1 dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256 cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA512 00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

memory/1736-66-0x00000000012E0000-0x0000000001832000-memory.dmp

memory/1736-67-0x0000000000C50000-0x00000000011A2000-memory.dmp

memory/1736-68-0x0000000077910000-0x0000000077A90000-memory.dmp

memory/1736-69-0x00000000012E0000-0x0000000001832000-memory.dmp

memory/1736-70-0x0000000074571000-0x0000000074573000-memory.dmp

memory/1736-71-0x0000000074371000-0x0000000074373000-memory.dmp

memory/1736-75-0x00000000743C1000-0x00000000743C3000-memory.dmp

memory/1736-79-0x00000000012E0000-0x0000000001832000-memory.dmp

memory/1736-80-0x0000000074211000-0x0000000074213000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 01:38

Reported

2022-06-25 01:40

Platform

win10v2004-20220414-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Cyper\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Cyper\Setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Cyper\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Cyper\Setup.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine C:\Program Files (x86)\Cyper\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Cyper\Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Cyper\Set.exe C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A
File created C:\Program Files (x86)\Cyper\Setup.exe C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A
File created C:\Program Files (x86)\Cyper\vm_begin.inc C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A
File created C:\Program Files (x86)\Cyper\vm_end.inc C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A
File created C:\Program Files (x86)\Cyper\vm_risc_begin.inc C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Cyper\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Cyper\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Cyper\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Cyper\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe

"C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe"

C:\Program Files (x86)\Cyper\Setup.exe

"C:\Program Files (x86)\Cyper\Setup.exe"

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
NL 52.178.17.2:443 tcp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp
NL 104.123.41.162:80 tcp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp
US 8.8.8.8:53 vvz01.pro udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk94E3.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

memory/5108-131-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Cyper\Setup.exe

MD5 184073024e93d570c71c2e49afc5b26b
SHA1 dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256 cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA512 00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

C:\Program Files (x86)\Cyper\Setup.exe

MD5 184073024e93d570c71c2e49afc5b26b
SHA1 dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256 cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA512 00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

memory/5108-134-0x0000000000D00000-0x0000000001252000-memory.dmp

memory/5108-135-0x0000000077580000-0x0000000077723000-memory.dmp

memory/5108-136-0x0000000000D00000-0x0000000001252000-memory.dmp

memory/5108-137-0x0000000000D00000-0x0000000001252000-memory.dmp

memory/5108-138-0x0000000077580000-0x0000000077723000-memory.dmp

memory/5108-139-0x0000000000D00000-0x0000000001252000-memory.dmp