Overview

overview

10

Static

static

1

01fa8fae54...e4.exe

windows7-x64

10

01fa8fae54...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2023 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01fa8fae5458ea9957a3bb12dcbd11e4.exe

  • Size

    795KB

  • MD5

    01fa8fae5458ea9957a3bb12dcbd11e4

  • SHA1

    5bcbe5b6a5b2b68ae4161514e74b47166d7a1c2b

  • SHA256

    daf7181b5562f37fcbcbb6a56b9d24f8ab7e13671f005b4827dae547e875c146

  • SHA512

    b112f312accb42499421adf78662dc03d1a7de6f961ff0f884586cfec4a791db968d355925fc25ab8bb4fea748ada5e8f4b5d2d5c2852a86ec1f6eb93a6a2730

  • SSDEEP

    24576:cDk1HdvLQ7bpaCIOfCgyx5sNWwwY+eP7H:cOOYayzPwVL

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

http://ernjxs12.top/gate.php

Attributes
  • payload_url

    http://ovaxlo01.top/chavez.dat

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe
    "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe
      "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
      2⤵
      • Checks computer location settings
      • Maps connected drives based on registry
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe
          C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
            "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\01fa8fae5458ea9957a3bb12dcbd11e4.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3720
        • C:\Windows\SysWOW64\timeout.exe
          timeout -t 5
          4⤵
          • Delays execution with timeout.exe
          PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7356.tmp
    Filesize

    32B

    MD5

    6bb6e374b5dbd021622648b4d4e9afc7

    SHA1

    df356bb84780e332c960769d552f67d1f5221cce

    SHA256

    6546a2ec37419190b5f256f2c09efd90f8dd11fe98e5ae4521f8e07ecd64a2aa

    SHA512

    42b05356304dbbf2dd1ba7c7bc8dd2fcfc908d80fcd7c25771a3722ac946fd04575591d530e802799f8c17d9622db361f76b69c3985fd1ee63fce38777938644

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\754E.tmp
    Filesize

    71KB

    MD5

    92d24961d2ebaacf1ace5463dfc9930d

    SHA1

    99ffaf6904ab616c33a37ce01d383e4a493df335

    SHA256

    9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3

    SHA512

    77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7C9D.tmp
    Filesize

    2KB

    MD5

    dce9b749d38fdc247ab517e8a76e6102

    SHA1

    d6c5b6548e1a3da3326bd097c50c49fc7906be3f

    SHA256

    5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7

    SHA512

    56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2F433E85972F43FD\chavez.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    Filesize

    2.7MB

    MD5

    b20856ec703ece334bf18db476027bdb

    SHA1

    c9429cd83bb8c6bc74cc6644f1d16c33a69b6775

    SHA256

    e5bc9be853ca473ae7deb7619052c2ff8ff55526dd046f5e2c5c92d44625aaaa

    SHA512

    073c3442972215724581b5c92b4e784a0273366a72a8100b33c8d32d5a22513022e8db6ebf3ca6f970c6541e5450ba3ab810562f283d11e186a3e899fc50e149

    Download Submit
  • memory/1248-133-0x0000000000400000-0x00000000004CC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1248-134-0x0000000000400000-0x00000000004CC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1248-135-0x0000000000400000-0x00000000004CC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1248-136-0x0000000000400000-0x00000000004CC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1248-240-0x0000000000400000-0x00000000004CC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1796-263-0x0000000000600000-0x0000000000CF0000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1796-261-0x0000000000600000-0x0000000000CF0000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1796-259-0x0000000000600000-0x0000000000CF0000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1796-260-0x0000000000600000-0x0000000000CF0000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1796-262-0x0000000000600000-0x0000000000CF0000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1796-257-0x0000000000600000-0x0000000000CF0000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1796-258-0x0000000000600000-0x0000000000CF0000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1796-256-0x0000000000600000-0x0000000000CF0000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4860-247-0x0000000000D90000-0x0000000001480000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4860-255-0x0000000000D90000-0x0000000001480000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4860-250-0x0000000000D90000-0x0000000001480000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4860-249-0x0000000000D90000-0x0000000001480000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4860-248-0x0000000000D90000-0x0000000001480000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4860-246-0x0000000000D90000-0x0000000001480000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4860-245-0x0000000000D90000-0x0000000001480000-memory.dmp
    Filesize

    6.9MB

    Download