Overview

overview

10

Static

static

3

8cc6314d22...d9.exe

windows7-x64

10

8cc6314d22...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2023 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe

  • Size

    795KB

  • MD5

    1378addc7c016581bb0f76dc32d0af61

  • SHA1

    35d7f0d9aa6893e4c90a7c1552568f5c27e1b638

  • SHA256

    8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9

  • SHA512

    fba542b033428f2c1badf75a017c6df1d108af5dcccaddc6c90f993f193c45471b985993190106baecba5a29254298fba4cceab5d8df7ebda44fa38f5c6b4bab

  • SSDEEP

    12288:UCGDA23V1NyXsLdc2gJMKYWBpX6FKVEuZFhTbgnQjMJiWA2kN3R9ldtwjAPH:7GDl3kXsDZupEu31bgnQYu2kN3xdthPH

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

http://ewzvpq52.top/gate.php

Attributes
  • payload_url

    http://biriuv07.top/tarefa.dat

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
    "C:\Users\Admin\AppData\Local\Temp\8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe
      "C:\Users\Admin\AppData\Local\Temp\8cc6314d22c31f9678e1a2118ace78e57302b8ff5ebb1549c991c4b79bd976d9.exe"
      2⤵
      • Maps connected drives based on registry
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\40D.tmp
    Filesize

    32B

    MD5

    be980f09a839e6ed95c511824ed5ca31

    SHA1

    4fa4d1f170a173f494e6032b1e423fc5be608416

    SHA256

    7bf0cb21745162f09e70776ac472fbd1e6a99a842d1d686f73a89be8d95a6928

    SHA512

    d2dd7d923e857fcc28c7ddfddc59b0a750d6f26bc194d5776a6e56d540c508bb878e701e4ce2fd6c9bb709866232b76c5254f13582d5a652aac5663b780c96f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4AD.tmp
    Filesize

    71KB

    MD5

    e5e81f0ae5ba9a2ac3db0a17d3c9f810

    SHA1

    c2d6bdf002325094ff399b1e4c36df575b48ee4f

    SHA256

    a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

    SHA512

    cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

    Download Submit

  • memory/1948-60-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-57-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-58-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-59-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-54-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1948-62-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-64-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-65-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-56-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-55-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-139-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1948-141-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download