Malware Analysis Report

2025-04-13 11:32

Sample ID 220625-dkevaseac2
Target 581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485
SHA256 581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485
Tags
cryptbot discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485

Threat Level: Known bad

The file 581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 03:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 03:03

Reported

2022-06-25 03:22

Platform

win7-20220414-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe

"C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 bube01.info udp

Files

memory/1236-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1236-55-0x0000000000DE0000-0x0000000001315000-memory.dmp

memory/1236-56-0x0000000076FD0000-0x0000000077150000-memory.dmp

memory/1236-57-0x0000000000DE0000-0x0000000001315000-memory.dmp

memory/1236-58-0x0000000074091000-0x0000000074093000-memory.dmp

memory/1236-59-0x0000000073D91000-0x0000000073D93000-memory.dmp

memory/1236-64-0x0000000073C21000-0x0000000073C23000-memory.dmp

memory/1236-68-0x0000000073C01000-0x0000000073C03000-memory.dmp

memory/1236-69-0x0000000000DE0000-0x0000000001315000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 03:03

Reported

2022-06-25 03:23

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe

"C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
GB 173.222.211.107:80 tcp
GB 173.222.211.107:80 tcp
US 8.8.8.8:53 bube01.info udp
IE 13.69.239.72:443 tcp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
NL 104.123.41.162:80 tcp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp
US 8.8.8.8:53 bube01.info udp

Files

memory/4468-130-0x0000000000D20000-0x0000000001255000-memory.dmp

memory/4468-131-0x0000000077310000-0x00000000774B3000-memory.dmp

memory/4468-132-0x0000000000D20000-0x0000000001255000-memory.dmp

memory/4468-133-0x0000000000D20000-0x0000000001255000-memory.dmp

memory/4468-134-0x0000000077310000-0x00000000774B3000-memory.dmp

memory/4468-135-0x0000000000D20000-0x0000000001255000-memory.dmp