cryptbot | daf7181b5562f37fcbcbb6a56b9d24f8ab7e13671f005b4827dae547e875c146

Analysis

max time kernel
143s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2023, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01fa8fae5458ea9957a3bb12dcbd11e4.exe
Size

795KB
MD5

01fa8fae5458ea9957a3bb12dcbd11e4
SHA1

5bcbe5b6a5b2b68ae4161514e74b47166d7a1c2b
SHA256

daf7181b5562f37fcbcbb6a56b9d24f8ab7e13671f005b4827dae547e875c146
SHA512

b112f312accb42499421adf78662dc03d1a7de6f961ff0f884586cfec4a791db968d355925fc25ab8bb4fea748ada5e8f4b5d2d5c2852a86ec1f6eb93a6a2730
SSDEEP

24576:cDk1HdvLQ7bpaCIOfCgyx5sNWwwY+eP7H:cOOYayzPwVL

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

http://ernjxs12.top/gate.php

Attributes

payload_url
http://ovaxlo01.top/chavez.dat

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chavez.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chavez.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chavez.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	01fa8fae5458ea9957a3bb12dcbd11e4.exe

Executes dropped EXE 2 IoCs

pid	Process
4860	chavez.exe
1796	DpEditor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0008000000023126-243.dat	themida
behavioral2/files/0x0008000000023126-244.dat	themida
behavioral2/memory/4860-245-0x0000000000D90000-0x0000000001480000-memory.dmp	themida
behavioral2/memory/4860-246-0x0000000000D90000-0x0000000001480000-memory.dmp	themida
behavioral2/memory/4860-247-0x0000000000D90000-0x0000000001480000-memory.dmp	themida
behavioral2/memory/4860-248-0x0000000000D90000-0x0000000001480000-memory.dmp	themida
behavioral2/memory/4860-249-0x0000000000D90000-0x0000000001480000-memory.dmp	themida
behavioral2/memory/4860-250-0x0000000000D90000-0x0000000001480000-memory.dmp	themida
behavioral2/files/0x0006000000023155-253.dat	themida
behavioral2/files/0x0006000000023155-254.dat	themida
behavioral2/memory/4860-255-0x0000000000D90000-0x0000000001480000-memory.dmp	themida
behavioral2/memory/1796-256-0x0000000000600000-0x0000000000CF0000-memory.dmp	themida
behavioral2/memory/1796-257-0x0000000000600000-0x0000000000CF0000-memory.dmp	themida
behavioral2/memory/1796-258-0x0000000000600000-0x0000000000CF0000-memory.dmp	themida
behavioral2/memory/1796-260-0x0000000000600000-0x0000000000CF0000-memory.dmp	themida
behavioral2/memory/1796-259-0x0000000000600000-0x0000000000CF0000-memory.dmp	themida
behavioral2/memory/1796-261-0x0000000000600000-0x0000000000CF0000-memory.dmp	themida
behavioral2/memory/1796-262-0x0000000000600000-0x0000000000CF0000-memory.dmp	themida
behavioral2/memory/1796-263-0x0000000000600000-0x0000000000CF0000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chavez.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	01fa8fae5458ea9957a3bb12dcbd11e4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	01fa8fae5458ea9957a3bb12dcbd11e4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4860	chavez.exe
1796	DpEditor.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	01fa8fae5458ea9957a3bb12dcbd11e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	01fa8fae5458ea9957a3bb12dcbd11e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	01fa8fae5458ea9957a3bb12dcbd11e4.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1404	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1796	DpEditor.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1248	01fa8fae5458ea9957a3bb12dcbd11e4.exe
1248	01fa8fae5458ea9957a3bb12dcbd11e4.exe
4860	chavez.exe
4860	chavez.exe
1796	DpEditor.exe
1796	DpEditor.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 2036 wrote to memory of 1248	2036	01fa8fae5458ea9957a3bb12dcbd11e4.exe	88
PID 1248 wrote to memory of 4288	1248	01fa8fae5458ea9957a3bb12dcbd11e4.exe	92
PID 1248 wrote to memory of 4288	1248	01fa8fae5458ea9957a3bb12dcbd11e4.exe	92
PID 1248 wrote to memory of 4288	1248	01fa8fae5458ea9957a3bb12dcbd11e4.exe	92
PID 1248 wrote to memory of 3720	1248	01fa8fae5458ea9957a3bb12dcbd11e4.exe	94
PID 1248 wrote to memory of 3720	1248	01fa8fae5458ea9957a3bb12dcbd11e4.exe	94
PID 1248 wrote to memory of 3720	1248	01fa8fae5458ea9957a3bb12dcbd11e4.exe	94
PID 3720 wrote to memory of 1404	3720	cmd.exe	97
PID 3720 wrote to memory of 1404	3720	cmd.exe	97
PID 3720 wrote to memory of 1404	3720	cmd.exe	97
PID 4288 wrote to memory of 4860	4288	cmd.exe	96
PID 4288 wrote to memory of 4860	4288	cmd.exe	96
PID 4288 wrote to memory of 4860	4288	cmd.exe	96
PID 4860 wrote to memory of 1796	4860	chavez.exe	101
PID 4860 wrote to memory of 1796	4860	chavez.exe	101
PID 4860 wrote to memory of 1796	4860	chavez.exe	101

C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe
"C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe
  "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe
      C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
        
        "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout -t 5
      4⤵
      Delays execution with timeout.exe
      PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7356.tmp

Filesize
32B

MD5
6bb6e374b5dbd021622648b4d4e9afc7

SHA1
df356bb84780e332c960769d552f67d1f5221cce

SHA256
6546a2ec37419190b5f256f2c09efd90f8dd11fe98e5ae4521f8e07ecd64a2aa

SHA512
42b05356304dbbf2dd1ba7c7bc8dd2fcfc908d80fcd7c25771a3722ac946fd04575591d530e802799f8c17d9622db361f76b69c3985fd1ee63fce38777938644

Download Submit
C:\Users\Admin\AppData\Local\Temp\754E.tmp

Filesize
71KB

MD5
92d24961d2ebaacf1ace5463dfc9930d

SHA1
99ffaf6904ab616c33a37ce01d383e4a493df335

SHA256
9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3

SHA512
77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C9D.tmp

Filesize
2KB

MD5
dce9b749d38fdc247ab517e8a76e6102

SHA1
d6c5b6548e1a3da3326bd097c50c49fc7906be3f

SHA256
5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7

SHA512
56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

Download Submit
C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe

Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe

Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

Filesize
2.7MB

MD5
b20856ec703ece334bf18db476027bdb

SHA1
c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

SHA256
e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

SHA512
073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

Download Submit
memory/1248-133-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1248-134-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1248-135-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1248-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1248-240-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1796-263-0x0000000000600000-0x0000000000CF0000-memory.dmp

Filesize
6.9MB

Download
memory/1796-261-0x0000000000600000-0x0000000000CF0000-memory.dmp

Filesize
6.9MB

Download
memory/1796-259-0x0000000000600000-0x0000000000CF0000-memory.dmp

Filesize
6.9MB

Download
memory/1796-260-0x0000000000600000-0x0000000000CF0000-memory.dmp

Filesize
6.9MB

Download
memory/1796-262-0x0000000000600000-0x0000000000CF0000-memory.dmp

Filesize
6.9MB

Download
memory/1796-257-0x0000000000600000-0x0000000000CF0000-memory.dmp

Filesize
6.9MB

Download
memory/1796-258-0x0000000000600000-0x0000000000CF0000-memory.dmp

Filesize
6.9MB

Download
memory/1796-256-0x0000000000600000-0x0000000000CF0000-memory.dmp

Filesize
6.9MB

Download
memory/4860-247-0x0000000000D90000-0x0000000001480000-memory.dmp

Filesize
6.9MB

Download
memory/4860-255-0x0000000000D90000-0x0000000001480000-memory.dmp

Filesize
6.9MB

Download
memory/4860-250-0x0000000000D90000-0x0000000001480000-memory.dmp

Filesize
6.9MB

Download
memory/4860-249-0x0000000000D90000-0x0000000001480000-memory.dmp

Filesize
6.9MB

Download
memory/4860-248-0x0000000000D90000-0x0000000001480000-memory.dmp

Filesize
6.9MB

Download
memory/4860-246-0x0000000000D90000-0x0000000001480000-memory.dmp

Filesize
6.9MB

Download
memory/4860-245-0x0000000000D90000-0x0000000001480000-memory.dmp

Filesize
6.9MB

Download