Malware Analysis Report

2025-04-13 11:28

Sample ID 220625-lrzgaaheb8
Target b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82
SHA256 b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82
Tags
cryptbot discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82

Threat Level: Known bad

The file b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 09:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 09:46

Reported

2022-06-25 11:45

Platform

win7-20220414-en

Max time kernel

153s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe

"C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 kafurr02.top udp

Files

memory/1704-54-0x0000000000400000-0x00000000008FC000-memory.dmp

memory/1704-55-0x0000000076241000-0x0000000076243000-memory.dmp

memory/1704-56-0x0000000077650000-0x00000000777D0000-memory.dmp

memory/1704-57-0x0000000000400000-0x00000000008FC000-memory.dmp

memory/1704-58-0x0000000000400000-0x00000000008FC000-memory.dmp

memory/1704-59-0x0000000077650000-0x00000000777D0000-memory.dmp

memory/1704-60-0x0000000000400000-0x00000000008FC000-memory.dmp

memory/1704-61-0x00000000742D1000-0x00000000742D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 09:46

Reported

2022-06-25 11:46

Platform

win10v2004-20220414-en

Max time kernel

177s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe

"C:\Users\Admin\AppData\Local\Temp\b2a7a30663a651308964f1eaa1d1a5270b31caa343749700b2891bd81f2b3d82.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.238.111.254:80 tcp
GB 51.105.71.136:443 tcp
US 8.238.111.254:80 tcp
US 8.238.111.254:80 tcp
US 8.238.111.254:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/3988-130-0x0000000000400000-0x00000000008FC000-memory.dmp

memory/3988-131-0x0000000000400000-0x00000000008FC000-memory.dmp

memory/3988-132-0x00000000771A0000-0x0000000077343000-memory.dmp