Malware Analysis Report

2024-10-23 17:14

Sample ID 231231-kq132sefb3
Target 2fa9185ceeb1d25e8bde77a4cf3f70d4
SHA256 d4036c235fca73a67732d884564991184b7a8ea148784f0cd70fa07adbd8e160
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4036c235fca73a67732d884564991184b7a8ea148784f0cd70fa07adbd8e160

Threat Level: Known bad

The file 2fa9185ceeb1d25e8bde77a4cf3f70d4 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Checks installed software on the system

Enumerates physical storage devices

Program crash

Unsigned PE

Delays execution with timeout.exe

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 08:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 08:49

Reported

2024-01-10 02:33

Platform

win10v2004-20231215-en

Max time kernel

5s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe

"C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3980 -ip 3980

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\IflgAoZb & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 smarew72.top udp
US 8.8.8.8:53 moriwi07.top udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 guruzo10.top udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 203.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

memory/3980-2-0x0000000002110000-0x00000000021F1000-memory.dmp

memory/3980-3-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3980-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Information.txt

MD5 4acf52d8e7aeb6431a490e496629b00f
SHA1 3f9685780ca99e785a5c3a091bdab8fe9a1276ed
SHA256 4a0ff175f19c61c4022e007561604675ea25421c50b8481be29c3c70e73aa30a
SHA512 c1f85f5e2d3e0c5dae8fdc55d5b28621821604b2ca423613c1ad5d2683e312364fbd55f72927694eca388c006016b408ed12dbab5cfb96375353f4a1aa7a14db

C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\system_info.txt

MD5 31452b021289566b8db2b97bcd38c0ca
SHA1 44773d79aac77efb76fb00b36b2752ef29a72f79
SHA256 d6f1e03b48dd1d7f8d35e07a60f84f05ab8d7c229d233937497b29b60217bf78
SHA512 39432c57a532fa73fbe0c3c6d9bcb67fd630ce77e07b2f17695068ce43b923db0186555a5c75284801400c5641b33075fb29b7103bf45fa62b39f9565ecb8c45

C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Screen_Desktop.jpeg

MD5 c98befb5e2e7dd6f642156a48dbcc01b
SHA1 780c50dc484fd7dca4b89527cd62aa23039df521
SHA256 6b9c28a21f16a94fcc05afebad9d84f4253a1f247e784c736c3169ea87b7e8d2
SHA512 13e4818e2821c41d97f060bd5939ad5dcc310753da0408466fc10cabece16411bc5e9690d0da3f8ad6fd465bb54614b3ed9d2d98cbf0dffd2c2fefca62035b81

C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Information.txt

MD5 d973f047917ebc78b4dda4b0a85bc8ef
SHA1 a8b454c7fa725626e4699f6fe02f12125963188a
SHA256 f6b916c122279ac258028787de809314dbadde0b583bfd404a0fb85ab2b6948f
SHA512 cdeab64234c5bbb7a24bb0e96eb79af98d1563839b8dc7432c77c0c1c369926af1618e59e241a6d7f3118acae5eea3053b464bd8fb5433031535b3382aaf5c60

memory/3980-213-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\SCREEN~1.JPG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\SYSTEM~1.TXT

MD5 1feed4f2f2047d7403cf74f3871ba012
SHA1 53d3d012f60144d862525d88da2d41fa418b7129
SHA256 38e63575621ac99235c7faaadcd6dc55fa2c36a45a98e0ad68e6691696098be7
SHA512 9df2bff8634f51d8015373e9bf02b437095ef4fde31a2cc917a836c0c330fde83831baa7c86b5367fe3c1a0fdefe2f3063ba9f1e40c705e082b87032ef03d4fb

memory/3980-221-0x0000000002110000-0x00000000021F1000-memory.dmp

memory/3980-220-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 08:49

Reported

2024-01-10 02:33

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe

"C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"

Network

N/A

Files

memory/2296-3-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2296-2-0x00000000004F0000-0x00000000005D1000-memory.dmp

memory/2296-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/2296-6-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2296-7-0x00000000004F0000-0x00000000005D1000-memory.dmp