Malware Analysis Report

2024-10-23 17:14

Sample ID 231228-1ymhmafec6
Target fb660cd8294a2f697bc610d746833d91
SHA256 28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d

Threat Level: Known bad

The file fb660cd8294a2f697bc610d746833d91 was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 22:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 22:03

Reported

2024-01-09 21:30

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe

"C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"

Network

N/A

Files

memory/2548-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2548-2-0x0000000000310000-0x00000000003F1000-memory.dmp

memory/2548-3-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2548-7-0x0000000000310000-0x00000000003F1000-memory.dmp

memory/2548-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 22:03

Reported

2024-01-09 21:31

Platform

win10v2004-20231215-en

Max time kernel

175s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe

"C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\SQMDwDoW & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3180 -ip 3180

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 ewaisg12.top udp
US 8.8.8.8:53 morvay01.top udp
US 8.8.8.8:53 winezo01.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3180-1-0x0000000000570000-0x0000000000670000-memory.dmp

memory/3180-2-0x0000000002230000-0x0000000002311000-memory.dmp

memory/3180-3-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3180-4-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3180-7-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3180-8-0x0000000000570000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\_Files\_Information.txt

MD5 a2c0532ae7518b27a3a884449b1f9104
SHA1 2dc675864ae296aa44b95a843f34140a293eb177
SHA256 64417d305dd47608795702e370c658c235f90fdac9c07deec067959ae09b534b
SHA512 b0875b23e12dc1ad752aa172b2ea672b83955232db57c0532ac0a48ead50bdf4e8a97ab7ef23d799a9f4a4c2f8160714c1a2e863469b38385e214a58f73c6f11

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\_Files\_Information.txt

MD5 4f6237fc3d8786996d67d7f8486f2198
SHA1 e7d65c7046cd2a9df765954d70438301bd6b279d
SHA256 d7553df9534c4628bc6634b83dcc07bc76f3fb57fc5bef44e61e0ef580fbf63c
SHA512 a77f3a5d62af925b705ee370a817594bba5e46242d3c63a03823c4fd92bb9b78f48120b5abbb6619804a7adb379c3b7bf8035f339296d0c2904a59046ea1651f

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\_Files\_Information.txt

MD5 79afed10f394fdf815c1566ce541cd29
SHA1 acce8c1b6f179a47175bee1a58e17baa3d023590
SHA256 7cdcd0e4d53a19da20fea0a68455dd66a38cf7b6d54c7b86ccec2621443ed81b
SHA512 cf840c7be1585de45125cbdaf968522de7db182577ef9952201b271cdc2d23b67fc7273930b898588590d7ddac9c9e5fd5f194f427ca65e5f88a4166ec440bd0

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\_Files\_Screen_Desktop.jpeg

MD5 b65dc848f26344364ca86fe2434352f9
SHA1 44a0a429732efdb8b5d85e78c7061650971e75db
SHA256 ad76c24d90f20acf023e2212448d124a8f3b7410cf63474920623e9775e02d38
SHA512 95ad1a0d49971c70caf3729d3bacd99b825974bc4506bf8e96bb4f4d3269121d0f86649050f1f84d747629f332812cd1badab0df440a748c19462898f12bfc12

memory/3180-111-0x0000000002230000-0x0000000002311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\files_\system_info.txt

MD5 328ccd814ae2e1c0343394d66b9b572c
SHA1 3a0fb886dc1a04b7e9397ca07262f7339b769b93
SHA256 169912b5be50b9a57a8b92f631a5ba7cd1de0481679ba07c1ac8791d4b3986b6
SHA512 ac4c34b3bc81db900bea3e55879c95adb6396d4528f68b6b7b39eb73b7232ccf2d42e031ad13a2d0f921787b647a5cd9aef128d8c082c3a88a90ad1542216ea0

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\files_\system_info.txt

MD5 8a4081bd9d0f60b184a6179f17f79744
SHA1 24034c8e1f314e0fbb655fdf44fd1a2573578930
SHA256 f9ba0652c7df06584ba0454476be02083494bfcaeebe0e786119ce92fb86b359
SHA512 25c49c5e2bdd0e56cc9f8b64e4f7559e3a512a87921c543d0fb110297ca406b3abce9282996f3e913f0cb331d6a149cdf021e268e179d0bb1916d99d92aafdf9

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\files_\system_info.txt

MD5 4732e5648a67d9e5fe330d28eafdb1fa
SHA1 294cf4a14136fb52116d3047163bfbf1211b85f2
SHA256 7fd0bd9974427079a73388d889541601f0e16730314cddb0c7159727e9fa3405
SHA512 1ee035078e91139b640c092aafeed7e6ddc96a9cfe4fabc6e1f13a18e5006ca0cfc485be4d9290b7064be2f29fe4485ee8ae8cef2c8f0b04f602dfe9d129ec76

memory/3180-209-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\_Files\_INFOR~1.TXT

MD5 9cd2433f0c5f770cca33f5ed461902b5
SHA1 208fb33422f685e2c4c44ec996681af356b99c0a
SHA256 3341ad6c26361160664b8db686797c8c02042f396b40a0287f6b5f680fe559f9
SHA512 ec7e3a37c6ab8906a99256475afd1c9a886262e35f0bf1f24b3cbef508eb54fb76e5e29340916a573d5955d3e1ff94835c4b08060645784719c213f1cfcbed15

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\ULBDFN~1.ZIP

MD5 aa2e27a974093db2cc9f63cbea655b11
SHA1 21b9377d8125b31bd1dae6500382dcb5faef0cf4
SHA256 a12deb411c6a88676d28501da6862ad7274df7898d7c24ba181af6d70ac8024c
SHA512 ded0e5f494937739f808122ea109d515eb7b2354de3ac1b06cbe739c144e8ff04ba9d13a94ce85655018cfd6652544cef3d0aa90f67cb4776e520e0a95b937f7

C:\Users\Admin\AppData\Local\Temp\SQMDwDoW\fMIjaroS.zip

MD5 52d1b87b2f7c31618768d20b8dc56ef0
SHA1 9b4908763186f9c9d51c8fe65ef7476171650762
SHA256 f957f176e2bb5ab3532d7e51e6d49b47cd8276187c6bfbf2f38fe3df49d0ca20
SHA512 6b4752d68698a6641ecd7a19d62c78db6524de05c979cf5fed762e63e66d95959550e291e42c69842d6816821b367d3bde93b8cdc37fae7a34db046ba7293ff4