Malware Analysis Report

2025-04-13 11:32

Sample ID 220625-dyh4waeeh3
Target fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8
SHA256 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8
Tags
cryptbot discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8

Threat Level: Known bad

The file fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 03:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 03:24

Reported

2022-06-25 03:46

Platform

win7-20220414-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe

"C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cede03.info udp

Files

memory/1968-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

memory/1968-55-0x00000000001D0000-0x0000000000724000-memory.dmp

memory/1968-56-0x00000000774C0000-0x0000000077640000-memory.dmp

memory/1968-57-0x0000000074591000-0x0000000074593000-memory.dmp

memory/1968-59-0x00000000001D0000-0x0000000000724000-memory.dmp

memory/1968-58-0x0000000074291000-0x0000000074293000-memory.dmp

memory/1968-62-0x0000000074121000-0x0000000074123000-memory.dmp

memory/1968-68-0x00000000001D0000-0x0000000000724000-memory.dmp

memory/1968-69-0x0000000074101000-0x0000000074103000-memory.dmp

memory/1968-70-0x00000000001D0000-0x0000000000724000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 03:24

Reported

2022-06-25 03:47

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe

"C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\XcfphEnUK & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 2

Network

Country Destination Domain Proto
US 67.24.179.254:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cede03.info udp
US 8.253.135.120:80 tcp
US 8.8.8.8:53 cede03.info udp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 cede03.info udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 cede03.info udp
NL 13.69.109.130:443 tcp
US 8.8.8.8:53 cede03.info udp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
US 8.8.8.8:53 cede03.info udp
IE 40.126.31.71:443 tcp
US 8.8.8.8:53 cede03.info udp

Files

memory/3232-130-0x0000000000910000-0x0000000000E64000-memory.dmp

memory/3232-131-0x00000000774D0000-0x0000000077673000-memory.dmp

memory/3232-132-0x0000000000910000-0x0000000000E64000-memory.dmp

memory/3232-133-0x0000000000910000-0x0000000000E64000-memory.dmp

memory/3232-134-0x00000000774D0000-0x0000000077673000-memory.dmp

memory/3232-135-0x0000000000910000-0x0000000000E64000-memory.dmp

memory/3688-136-0x0000000000000000-mapping.dmp

memory/3232-137-0x0000000000910000-0x0000000000E64000-memory.dmp

memory/2348-145-0x0000000000000000-mapping.dmp

C:\ProgramData\XcfphEnUK\OGIFOJ~1.ZIP

MD5 33d87dc210f3bb4c2c39af2eefd8f139
SHA1 940f485029051b8900db7e091182311d2f88b70c
SHA256 bb2a03f08f913e0da257d3e8675062eb135cbef29b9655a15ccac7fdf81f8e1f
SHA512 cdf6f4ecd8fdbb6a9b09511227c3af13e1b85f32a600d47123eba9194aab3c78a60c78bb8ade2df885ad463cf43c9bfa43b45544e13db9f842e9e7e4439401f1

C:\ProgramData\XcfphEnUK\MOZ_CO~1.DB

MD5 89d4b62651fa5c864b12f3ea6b1521cb
SHA1 570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA256 22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512 e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

C:\ProgramData\XcfphEnUK\Files\_Screen.jpg

MD5 34eec874419f303664c334c229235a4a
SHA1 bdfd50c36a8a0e83260349dd3dd4c10c4f132b64
SHA256 fa7f25d1d7ae3b6da665143c380b06ffeba4b4635b37bffc3c328c68f5e4e58e
SHA512 c519cec9c9ece0bf65168d706352c10ae1d22ee568fc7feb867a83608c9f5869e5fb6b75618092c2f7b19477c9840ee6c5416fc011b5298b63497ca851b1cab1

C:\ProgramData\XcfphEnUK\Files\_Info.txt

MD5 1e60a7a795eec078737ab72b62fdbcbd
SHA1 bfcccd9608176a9fbd83346cd00b5496e4b5c2d1
SHA256 cef0efd8dcbe2fa073c72d66f7837b2cd3f59087dcb05bbbbb9ddfddf0f42a06
SHA512 8cd2c575e330aa9d5a8cc8f0235e2271e81a7c72f5817eab18dfab7f670baab67f1584d7818a7b70ab70be4fcee4c7722f45e0faf29d13833ba9351a88410f58

C:\ProgramData\XcfphEnUK\Files\Files\Desktop\GRANTR~1.TXT

MD5 7c0784119d2ccd2784e07956f7ddacb8
SHA1 13c00637b870dc8bac6f5026647e02bd27a86f2d
SHA256 9b81d98c3d97d0c5a0f349778e7cbbac7ac7806b24f016bd40b38c5f55eff775
SHA512 5cf1849db135762f18c3350af5bb3aa68c2057beaf70d568ac7a4bbe6e22d97e0db041bee8b4457ebd30092652d0c5260fcce0a67f78c7a4bc3d437a8df5c253

C:\ProgramData\XcfphEnUK\Files\Browsers\_FILEC~1.TXT

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

C:\ProgramData\XcfphEnUK\47283761.txt

MD5 b26465add1927d3a0d318f8a83fb603e
SHA1 72b1d6895160c6a58483583856bfb57d580abc9f
SHA256 79407f411759c49be519022a762862f09dd8439362785f37902bac62d93a047e
SHA512 914ab20fd6b55dbe9478fc3169e94ef14d76ffbfaab132280ae248ed516697624ac34bdc9219bc242dcedd29544e526c5c1cb58721f61d76b524e95c44d60a95

memory/3232-146-0x00000000774D0000-0x0000000077673000-memory.dmp