Overview

overview

10

Static

static

1

01fa8fae54...e4.exe

windows7-x64

10

01fa8fae54...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01fa8fae5458ea9957a3bb12dcbd11e4.exe

  • Size

    795KB

  • MD5

    01fa8fae5458ea9957a3bb12dcbd11e4

  • SHA1

    5bcbe5b6a5b2b68ae4161514e74b47166d7a1c2b

  • SHA256

    daf7181b5562f37fcbcbb6a56b9d24f8ab7e13671f005b4827dae547e875c146

  • SHA512

    b112f312accb42499421adf78662dc03d1a7de6f961ff0f884586cfec4a791db968d355925fc25ab8bb4fea748ada5e8f4b5d2d5c2852a86ec1f6eb93a6a2730

  • SSDEEP

    24576:cDk1HdvLQ7bpaCIOfCgyx5sNWwwY+eP7H:cOOYayzPwVL

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

http://ernjxs12.top/gate.php

Attributes
  • payload_url

    http://ovaxlo01.top/chavez.dat

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe
    "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe
      "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
      2⤵
      • Maps connected drives based on registry
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
          C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
            "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            PID:1168
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\SysWOW64\timeout.exe
          timeout -t 5
          4⤵
          • Delays execution with timeout.exe
          PID:1604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A44.tmp
    Filesize

    32B

    MD5

    48255136fc205998b4ebbe6f72b5cdd0

    SHA1

    c6f2c7fdd75a999a61ddfb5b4923d6a0dad917b1

    SHA256

    00523df8a35803806212867d9f6ab89d17a1bfdd3aef5fbb1dc10fcd6faa114c

    SHA512

    c74a7e214f93d124aed393e00f720ac91ca46328f4edf710b26235145b676003261943e4779acbc52ef14667a78636968c04c1065ac5cc70ba9f54d6ab0226de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B04.tmp
    Filesize

    71KB

    MD5

    6082dd13ad8102d17f9db9cd07600e97

    SHA1

    39becc88cea914d843b3c5521038907f2f2f4e71

    SHA256

    40a3f938c8c1eb929771c444d5f8887c42c7cde6281690e2071a2593ba92e48a

    SHA512

    b7d5c716b6339b3138492c8b0cf4c9540a8d8224f9d5e72e34ceab442bdfa9c855473bbed68a489851f019461e1b1f9d86baf067be556c67b948c930899d3c1e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit

  • C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit

  • \Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit

  • \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit

  • memory/812-146-0x0000000002030000-0x0000000002720000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1168-158-0x00000000000E0000-0x00000000007D0000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1168-160-0x00000000000E0000-0x00000000007D0000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1168-161-0x00000000000E0000-0x00000000007D0000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1168-156-0x00000000000E0000-0x00000000007D0000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1168-157-0x00000000000E0000-0x00000000007D0000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1168-155-0x00000000000E0000-0x00000000007D0000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1168-159-0x00000000000E0000-0x00000000007D0000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1484-55-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-60-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-64-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1484-57-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-58-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-62-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-137-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-59-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-54-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-94-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1484-56-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2008-144-0x0000000000990000-0x0000000001080000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2008-153-0x0000000000990000-0x0000000001080000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2008-148-0x0000000000990000-0x0000000001080000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2008-147-0x0000000000990000-0x0000000001080000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2008-145-0x0000000000990000-0x0000000001080000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2008-143-0x0000000000990000-0x0000000001080000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2008-142-0x0000000000990000-0x0000000001080000-memory.dmp

    Filesize

    6.9MB

    Download