Overview

overview

10

Static

static

7

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    2.6MB

  • MD5

    35eb63390faa38437c456a1966d2e51a

  • SHA1

    0138a5c885e85ab7960f681f94c552f1cd2b45e9

  • SHA256

    314259cc43c8619b5f8e1ec548b34b64d6b8084342cdd6d8a970718c2d791da8

  • SHA512

    8abef3dde447c025aa69b1524867513a0ecca523583098407bc18f6462acfa38e6e06d621c1943a6c1f6d88030edfdf71c48c2805fa0f5403183bab22c370048

  • SSDEEP

    49152:LxgCKGJaUFxFwTkhnCEtG0vHBsH0PlXSUYo0rI8Jc+UDQ5tBpOTT0cAalxRm:LxLXJtxmTOtNvC/nrhYUrB4TT0chx

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

hevbaw12.top

morgki01.top
Attributes
  • payload_url

    http://kyvihm01.top/download.php?file=brunei.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\wSDekUDO\MjngyhLwqnINDA.zip
    Filesize

    51KB

    MD5

    70ec9d19468701888ff4c8009e3ddfc9

    SHA1

    bf7ccd2f2fd9c3d22d7fcfdf17b77dc5ad286fc9

    SHA256

    43e0f6755ed38d4a80bb05d3622a2ff54abcfa5cc87b8601d66e6fec51955523

    SHA512

    023bca1cbec1da8423964eba72f74f904c19d4725367e478e7a6b51f5d227c1472bbbd338472954f9997b9dd762974fd9aa04aec1f69430e9559051340495888

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Information.txt
    Filesize

    1KB

    MD5

    656e83bc6064e358049128b976074f2f

    SHA1

    8a0c5155c52db4ba60fc426215e3f7a2e369d208

    SHA256

    acbd59055f280403e7db40c4eb728a1f12e4d4a750b8590694496eeff3988fb1

    SHA512

    74cb58f0ec5fa47498d33795bdba7fa0496a062bf8440af7c6fe236be1b1591f8e5691dacf2f78ebacdb2fb33aabb321eea9bc926ca79c59c70f57323546c049

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Information.txt
    Filesize

    6KB

    MD5

    176f04207e01c9019922e214dac1ba9e

    SHA1

    f73ee88b093f3e59e3a2eb7a2938687858bf459d

    SHA256

    3441e63f0c4eff698ebd5e5dac347fb44b3a1ef60f1b2bf78921a0e65102fede

    SHA512

    656c6e39e46174176f6b7a3491c83ff4defb7e2c9d781d3d31801abcf1725ea83b2b161172cadd79f46be4a3c1af16ff031db80bb3b318311b21fe4cda340297

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Information.txt
    Filesize

    6KB

    MD5

    176f04207e01c9019922e214dac1ba9e

    SHA1

    f73ee88b093f3e59e3a2eb7a2938687858bf459d

    SHA256

    3441e63f0c4eff698ebd5e5dac347fb44b3a1ef60f1b2bf78921a0e65102fede

    SHA512

    656c6e39e46174176f6b7a3491c83ff4defb7e2c9d781d3d31801abcf1725ea83b2b161172cadd79f46be4a3c1af16ff031db80bb3b318311b21fe4cda340297

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Information.txt
    Filesize

    6KB

    MD5

    176f04207e01c9019922e214dac1ba9e

    SHA1

    f73ee88b093f3e59e3a2eb7a2938687858bf459d

    SHA256

    3441e63f0c4eff698ebd5e5dac347fb44b3a1ef60f1b2bf78921a0e65102fede

    SHA512

    656c6e39e46174176f6b7a3491c83ff4defb7e2c9d781d3d31801abcf1725ea83b2b161172cadd79f46be4a3c1af16ff031db80bb3b318311b21fe4cda340297

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Screen_Desktop.jpeg
    Filesize

    50KB

    MD5

    66d94f0928dfdc4cdfb4fbd1d719373c

    SHA1

    c6fa91f3b354a780712cd60295bf81aef191cfcd

    SHA256

    767872633bf96485e8970606a9ae9624db4355416d8ac65ed0485cc2620e8196

    SHA512

    52c9437ad8b95173fb195f2ed5e61c94547779b5bdcc7682268eb1436b52be2db769cd6e5fccef30a9ef0406913095ffc5020cf815d7e0e6a9d78e638b92a0dd

    Download Submit
  • memory/2844-251-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-258-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-136-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-240-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-241-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-135-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-133-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-134-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-254-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-137-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-261-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-264-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-268-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-271-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-274-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-278-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-281-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-285-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-287-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-290-0x0000000000C00000-0x00000000012E4000-memory.dmp
    Filesize

    6.9MB

    Download