cryptbot | daf7181b5562f37fcbcbb6a56b9d24f8ab7e13671f005b4827dae547e875c146

Analysis

max time kernel
144s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01fa8fae5458ea9957a3bb12dcbd11e4.exe
Size

795KB
MD5

01fa8fae5458ea9957a3bb12dcbd11e4
SHA1

5bcbe5b6a5b2b68ae4161514e74b47166d7a1c2b
SHA256

daf7181b5562f37fcbcbb6a56b9d24f8ab7e13671f005b4827dae547e875c146
SHA512

b112f312accb42499421adf78662dc03d1a7de6f961ff0f884586cfec4a791db968d355925fc25ab8bb4fea748ada5e8f4b5d2d5c2852a86ec1f6eb93a6a2730
SSDEEP

24576:cDk1HdvLQ7bpaCIOfCgyx5sNWwwY+eP7H:cOOYayzPwVL

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

http://ernjxs12.top/gate.php

Attributes

payload_url
http://ovaxlo01.top/chavez.dat

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

chavez.exeDpEditor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chavez.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chavez.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chavez.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chavez.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1208 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

chavez.exeDpEditor.exe

pid process

2008 chavez.exe
1168 DpEditor.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exechavez.exe

pid process

812 cmd.exe
2008 chavez.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1208	cmd.exe

pid	process
2008	chavez.exe
1168	DpEditor.exe

pid	process
812	cmd.exe
2008	chavez.exe

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe	themida
C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe	themida
C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe	themida
behavioral1/memory/2008-142-0x0000000000990000-0x0000000001080000-memory.dmp	themida
behavioral1/memory/2008-143-0x0000000000990000-0x0000000001080000-memory.dmp	themida
behavioral1/memory/2008-144-0x0000000000990000-0x0000000001080000-memory.dmp	themida
behavioral1/memory/2008-145-0x0000000000990000-0x0000000001080000-memory.dmp	themida
behavioral1/memory/2008-147-0x0000000000990000-0x0000000001080000-memory.dmp	themida
behavioral1/memory/2008-148-0x0000000000990000-0x0000000001080000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/2008-153-0x0000000000990000-0x0000000001080000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1168-155-0x00000000000E0000-0x00000000007D0000-memory.dmp	themida
behavioral1/memory/1168-156-0x00000000000E0000-0x00000000007D0000-memory.dmp	themida
behavioral1/memory/1168-157-0x00000000000E0000-0x00000000007D0000-memory.dmp	themida
behavioral1/memory/1168-158-0x00000000000E0000-0x00000000007D0000-memory.dmp	themida
behavioral1/memory/1168-159-0x00000000000E0000-0x00000000007D0000-memory.dmp	themida
behavioral1/memory/1168-160-0x00000000000E0000-0x00000000007D0000-memory.dmp	themida
behavioral1/memory/1168-161-0x00000000000E0000-0x00000000007D0000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

chavez.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chavez.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

01fa8fae5458ea9957a3bb12dcbd11e4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	01fa8fae5458ea9957a3bb12dcbd11e4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	01fa8fae5458ea9957a3bb12dcbd11e4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

chavez.exeDpEditor.exe

pid process

2008 chavez.exe
1168 DpEditor.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

01fa8fae5458ea9957a3bb12dcbd11e4.exe

description pid process target process

PID 1320 set thread context of 1484 1320 01fa8fae5458ea9957a3bb12dcbd11e4.exe 01fa8fae5458ea9957a3bb12dcbd11e4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2008	chavez.exe
1168	DpEditor.exe

description	pid	process	target process
PID 1320 set thread context of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

01fa8fae5458ea9957a3bb12dcbd11e4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	01fa8fae5458ea9957a3bb12dcbd11e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	01fa8fae5458ea9957a3bb12dcbd11e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	01fa8fae5458ea9957a3bb12dcbd11e4.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1604 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1168 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

01fa8fae5458ea9957a3bb12dcbd11e4.exechavez.exeDpEditor.exe

pid process

1484 01fa8fae5458ea9957a3bb12dcbd11e4.exe
2008 chavez.exe
1168 DpEditor.exe

pid	process
1604	timeout.exe

pid	process
1168	DpEditor.exe

pid	process
1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe
2008	chavez.exe
1168	DpEditor.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

01fa8fae5458ea9957a3bb12dcbd11e4.exe01fa8fae5458ea9957a3bb12dcbd11e4.execmd.execmd.exechavez.exe

description	pid	process	target process
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1320 wrote to memory of 1484	1320	01fa8fae5458ea9957a3bb12dcbd11e4.exe	01fa8fae5458ea9957a3bb12dcbd11e4.exe
PID 1484 wrote to memory of 812	1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe	cmd.exe
PID 1484 wrote to memory of 812	1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe	cmd.exe
PID 1484 wrote to memory of 812	1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe	cmd.exe
PID 1484 wrote to memory of 812	1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe	cmd.exe
PID 1484 wrote to memory of 1208	1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe	cmd.exe
PID 1484 wrote to memory of 1208	1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe	cmd.exe
PID 1484 wrote to memory of 1208	1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe	cmd.exe
PID 1484 wrote to memory of 1208	1484	01fa8fae5458ea9957a3bb12dcbd11e4.exe	cmd.exe
PID 812 wrote to memory of 2008	812	cmd.exe	chavez.exe
PID 812 wrote to memory of 2008	812	cmd.exe	chavez.exe
PID 812 wrote to memory of 2008	812	cmd.exe	chavez.exe
PID 812 wrote to memory of 2008	812	cmd.exe	chavez.exe
PID 1208 wrote to memory of 1604	1208	cmd.exe	timeout.exe
PID 1208 wrote to memory of 1604	1208	cmd.exe	timeout.exe
PID 1208 wrote to memory of 1604	1208	cmd.exe	timeout.exe
PID 1208 wrote to memory of 1604	1208	cmd.exe	timeout.exe
PID 2008 wrote to memory of 1168	2008	chavez.exe	DpEditor.exe
PID 2008 wrote to memory of 1168	2008	chavez.exe	DpEditor.exe
PID 2008 wrote to memory of 1168	2008	chavez.exe	DpEditor.exe
PID 2008 wrote to memory of 1168	2008	chavez.exe	DpEditor.exe

C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe
"C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe
"C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
2⤵
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\timeout.exe
timeout -t 5
4⤵
- Delays execution with timeout.exe
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A44.tmp
Filesize
32B

MD5
48255136fc205998b4ebbe6f72b5cdd0

SHA1
c6f2c7fdd75a999a61ddfb5b4923d6a0dad917b1

SHA256
00523df8a35803806212867d9f6ab89d17a1bfdd3aef5fbb1dc10fcd6faa114c

SHA512
c74a7e214f93d124aed393e00f720ac91ca46328f4edf710b26235145b676003261943e4779acbc52ef14667a78636968c04c1065ac5cc70ba9f54d6ab0226de

Download Submit
C:\Users\Admin\AppData\Local\Temp\B04.tmp
Filesize
71KB

MD5
6082dd13ad8102d17f9db9cd07600e97

SHA1
39becc88cea914d843b3c5521038907f2f2f4e71

SHA256
40a3f938c8c1eb929771c444d5f8887c42c7cde6281690e2071a2593ba92e48a

SHA512
b7d5c716b6339b3138492c8b0cf4c9540a8d8224f9d5e72e34ceab442bdfa9c855473bbed68a489851f019461e1b1f9d86baf067be556c67b948c930899d3c1e

Download Submit
C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
C:\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
\Users\Admin\AppData\Roaming\C7623F2C40B0A4B3\chavez.exe
Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
memory/812-146-0x0000000002030000-0x0000000002720000-memory.dmp

Filesize
6.9MB

Download
memory/1168-158-0x00000000000E0000-0x00000000007D0000-memory.dmp

Filesize
6.9MB

Download
memory/1168-160-0x00000000000E0000-0x00000000007D0000-memory.dmp

Filesize
6.9MB

Download
memory/1168-161-0x00000000000E0000-0x00000000007D0000-memory.dmp

Filesize
6.9MB

Download
memory/1168-156-0x00000000000E0000-0x00000000007D0000-memory.dmp

Filesize
6.9MB

Download
memory/1168-157-0x00000000000E0000-0x00000000007D0000-memory.dmp

Filesize
6.9MB

Download
memory/1168-155-0x00000000000E0000-0x00000000007D0000-memory.dmp

Filesize
6.9MB

Download
memory/1168-159-0x00000000000E0000-0x00000000007D0000-memory.dmp

Filesize
6.9MB

Download
memory/1484-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-60-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-64-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1484-57-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-58-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-62-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-137-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-59-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-54-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-94-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1484-56-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2008-144-0x0000000000990000-0x0000000001080000-memory.dmp

Filesize
6.9MB

Download
memory/2008-153-0x0000000000990000-0x0000000001080000-memory.dmp

Filesize
6.9MB

Download
memory/2008-148-0x0000000000990000-0x0000000001080000-memory.dmp

Filesize
6.9MB

Download
memory/2008-147-0x0000000000990000-0x0000000001080000-memory.dmp

Filesize
6.9MB

Download
memory/2008-145-0x0000000000990000-0x0000000001080000-memory.dmp

Filesize
6.9MB

Download
memory/2008-143-0x0000000000990000-0x0000000001080000-memory.dmp

Filesize
6.9MB

Download
memory/2008-142-0x0000000000990000-0x0000000001080000-memory.dmp

Filesize
6.9MB

Download