cryptbot | badbe62809bb0e28103b6262c0dd32c56b946fde64d33887601b5a5f5840b651

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc31a66d71c0e4a5d2880ef2a816804b.exe
Size

795KB
MD5

fc31a66d71c0e4a5d2880ef2a816804b
SHA1

c78be6e9edb831c7d84d26356ba2b2afe8bfcbe5
SHA256

badbe62809bb0e28103b6262c0dd32c56b946fde64d33887601b5a5f5840b651
SHA512

d5786d76ec8113b712c77ee44e823ca1ed9adf88504e0234b06ac5f5b5eb8501a5c74a26903e922f59128ecf822b7676cb01fdd5e9bc5d704d6800ff5b7c773c
SSDEEP

24576:8l2qdQAhBlF/8V7dES29Tx1NVVMJOp7MmLqRH:9o10RYjbHp9qF

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

http://xjuxjt32.top/gate.php

Attributes

payload_url
http://rymnyf04.top/saucer.dat

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	saucer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	saucer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	saucer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	fc31a66d71c0e4a5d2880ef2a816804b.exe

Executes dropped EXE 2 IoCs

pid	Process
2876	saucer.exe
3424	DpEditor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0006000000022f8b-238.dat	themida
behavioral2/files/0x0006000000022f8b-237.dat	themida
behavioral2/memory/2876-239-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/memory/2876-240-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/memory/2876-241-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/memory/2876-242-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/memory/2876-243-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/files/0x0006000000022f99-247.dat	themida
behavioral2/files/0x0006000000022f99-249.dat	themida
behavioral2/memory/2876-248-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/memory/3424-250-0x0000000000460000-0x0000000000B50000-memory.dmp	themida
behavioral2/memory/3424-251-0x0000000000460000-0x0000000000B50000-memory.dmp	themida
behavioral2/memory/3424-252-0x0000000000460000-0x0000000000B50000-memory.dmp	themida
behavioral2/memory/3424-253-0x0000000000460000-0x0000000000B50000-memory.dmp	themida
behavioral2/memory/3424-254-0x0000000000460000-0x0000000000B50000-memory.dmp	themida
behavioral2/memory/3424-255-0x0000000000460000-0x0000000000B50000-memory.dmp	themida
behavioral2/memory/3424-256-0x0000000000460000-0x0000000000B50000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	saucer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fc31a66d71c0e4a5d2880ef2a816804b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	fc31a66d71c0e4a5d2880ef2a816804b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2876	saucer.exe
3424	DpEditor.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3924 set thread context of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fc31a66d71c0e4a5d2880ef2a816804b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	fc31a66d71c0e4a5d2880ef2a816804b.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	fc31a66d71c0e4a5d2880ef2a816804b.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1692	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3424	DpEditor.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1984	fc31a66d71c0e4a5d2880ef2a816804b.exe
1984	fc31a66d71c0e4a5d2880ef2a816804b.exe
2876	saucer.exe
2876	saucer.exe
3424	DpEditor.exe
3424	DpEditor.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 3924 wrote to memory of 1984	3924	fc31a66d71c0e4a5d2880ef2a816804b.exe	85
PID 1984 wrote to memory of 4244	1984	fc31a66d71c0e4a5d2880ef2a816804b.exe	88
PID 1984 wrote to memory of 4244	1984	fc31a66d71c0e4a5d2880ef2a816804b.exe	88
PID 1984 wrote to memory of 4244	1984	fc31a66d71c0e4a5d2880ef2a816804b.exe	88
PID 1984 wrote to memory of 548	1984	fc31a66d71c0e4a5d2880ef2a816804b.exe	90
PID 1984 wrote to memory of 548	1984	fc31a66d71c0e4a5d2880ef2a816804b.exe	90
PID 1984 wrote to memory of 548	1984	fc31a66d71c0e4a5d2880ef2a816804b.exe	90
PID 548 wrote to memory of 1692	548	cmd.exe	94
PID 548 wrote to memory of 1692	548	cmd.exe	94
PID 548 wrote to memory of 1692	548	cmd.exe	94
PID 4244 wrote to memory of 2876	4244	cmd.exe	93
PID 4244 wrote to memory of 2876	4244	cmd.exe	93
PID 4244 wrote to memory of 2876	4244	cmd.exe	93
PID 2876 wrote to memory of 3424	2876	saucer.exe	98
PID 2876 wrote to memory of 3424	2876	saucer.exe	98
PID 2876 wrote to memory of 3424	2876	saucer.exe	98

C:\Users\Admin\AppData\Local\Temp\fc31a66d71c0e4a5d2880ef2a816804b.exe
"C:\Users\Admin\AppData\Local\Temp\fc31a66d71c0e4a5d2880ef2a816804b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\fc31a66d71c0e4a5d2880ef2a816804b.exe
  "C:\Users\Admin\AppData\Local\Temp\fc31a66d71c0e4a5d2880ef2a816804b.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\F55C879FF27ACA64\saucer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Users\Admin\AppData\Roaming\F55C879FF27ACA64\saucer.exe
      C:\Users\Admin\AppData\Roaming\F55C879FF27ACA64\saucer.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
        
        "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        
        PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\fc31a66d71c0e4a5d2880ef2a816804b.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout -t 5
      4⤵
      Delays execution with timeout.exe
      PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D702.tmp

Filesize
32B

MD5
18435224b67e2dce29d96efdf3369084

SHA1
3dc3ea4fc37493f0b223f416fcd8c28f331fbd88

SHA256
a7292bb308500cbe976fca209e0e02f5a22aa2ee51c6a603b32ab9e574bb0138

SHA512
66029de2edb19f78b1b5cfc6a15fd8d3d578c7eacf53ad5691cc25a084f2c332ccd87594fd850d822abf90670e6bfbb466fbc2ee0541beff0a94a039277acaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8CB.tmp

Filesize
71KB

MD5
53bf804f75123ed2339305be1d298398

SHA1
33a337e3e219da8ecd237b44fbcaf4864124a012

SHA256
7d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8

SHA512
7611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0E5.tmp

Filesize
2KB

MD5
b2446d155f77cf70a33bb0c25172fa3f

SHA1
c20d68dad9e872b4607a5677c4851f863c28daf7

SHA256
0faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb

SHA512
5d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654

Download Submit
C:\Users\Admin\AppData\Roaming\F55C879FF27ACA64\saucer.exe

Filesize
2.7MB

MD5
24eac639659b49e7c9dd64c2dc89011a

SHA1
5a2e2f04c15d83ce09964ac60e2900fce19fd32d

SHA256
f8a5641fe884734069cb091b83c30d6492907f51b49afae92d4d262584d06721

SHA512
30a4cf3ee204b7f901cf6a81bf9a91198cbbbae52a5e53ec3c0198dd45cf51e96b8c82c4fe9af2b38f28f6bc4d1336e378b6ccda0a7cf13dad042b65e93b6e44

Download Submit
C:\Users\Admin\AppData\Roaming\F55C879FF27ACA64\saucer.exe

Filesize
2.7MB

MD5
24eac639659b49e7c9dd64c2dc89011a

SHA1
5a2e2f04c15d83ce09964ac60e2900fce19fd32d

SHA256
f8a5641fe884734069cb091b83c30d6492907f51b49afae92d4d262584d06721

SHA512
30a4cf3ee204b7f901cf6a81bf9a91198cbbbae52a5e53ec3c0198dd45cf51e96b8c82c4fe9af2b38f28f6bc4d1336e378b6ccda0a7cf13dad042b65e93b6e44

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

Filesize
2.7MB

MD5
24eac639659b49e7c9dd64c2dc89011a

SHA1
5a2e2f04c15d83ce09964ac60e2900fce19fd32d

SHA256
f8a5641fe884734069cb091b83c30d6492907f51b49afae92d4d262584d06721

SHA512
30a4cf3ee204b7f901cf6a81bf9a91198cbbbae52a5e53ec3c0198dd45cf51e96b8c82c4fe9af2b38f28f6bc4d1336e378b6ccda0a7cf13dad042b65e93b6e44

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

Filesize
2.7MB

MD5
24eac639659b49e7c9dd64c2dc89011a

SHA1
5a2e2f04c15d83ce09964ac60e2900fce19fd32d

SHA256
f8a5641fe884734069cb091b83c30d6492907f51b49afae92d4d262584d06721

SHA512
30a4cf3ee204b7f901cf6a81bf9a91198cbbbae52a5e53ec3c0198dd45cf51e96b8c82c4fe9af2b38f28f6bc4d1336e378b6ccda0a7cf13dad042b65e93b6e44

Download Submit
memory/1984-133-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1984-134-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1984-135-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1984-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1984-234-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2876-241-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/2876-242-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/2876-243-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/2876-240-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/2876-239-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/2876-248-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/3424-250-0x0000000000460000-0x0000000000B50000-memory.dmp

Filesize
6.9MB

Download
memory/3424-251-0x0000000000460000-0x0000000000B50000-memory.dmp

Filesize
6.9MB

Download
memory/3424-252-0x0000000000460000-0x0000000000B50000-memory.dmp

Filesize
6.9MB

Download
memory/3424-253-0x0000000000460000-0x0000000000B50000-memory.dmp

Filesize
6.9MB

Download
memory/3424-254-0x0000000000460000-0x0000000000B50000-memory.dmp

Filesize
6.9MB

Download
memory/3424-255-0x0000000000460000-0x0000000000B50000-memory.dmp

Filesize
6.9MB

Download
memory/3424-256-0x0000000000460000-0x0000000000B50000-memory.dmp

Filesize
6.9MB

Download