Malware Analysis Report

2024-10-23 17:14

Sample ID 231231-nh5caafgh4
Target 3436bc5cb6d4783a01dbfac2504343cb
SHA256 0491af1e13f4b5d1725e5320e15d5aa0470d726418da43c6d08706d2f978d5ab
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0491af1e13f4b5d1725e5320e15d5aa0470d726418da43c6d08706d2f978d5ab

Threat Level: Known bad

The file 3436bc5cb6d4783a01dbfac2504343cb was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 11:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 11:24

Reported

2024-01-10 11:09

Platform

win7-20231215-en

Max time kernel

147s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe

"C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 haiezf32.top udp

Files

memory/2900-1-0x0000000002E40000-0x0000000002F40000-memory.dmp

memory/2900-2-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/2900-3-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/2900-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Information.txt

MD5 a02048cb499af28c1981d35b6078a55f
SHA1 9c8185daf1bb3dce860aaf2d0cec28d3ade62777
SHA256 a0d8213e2401c9874081b86f8f816f6d5ce381ee16a479b2a02c729438ff8ed6
SHA512 35c3974796c9076e22463943d9b0d6afd1cd36c23adbb65ba3db66ef04baf8015cb205421a52fefd11c53932d9468450784dae34179dd62388fdcc6fbff96771

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Information.txt

MD5 51e79954241a81f0287a270afcd69daf
SHA1 e3e5e9475d8922570693605a29cccb5f2ecfe377
SHA256 c6c3b7352125967403fd3fea3b851bf02c0b2070ad397003f3342c05dfaae1f1
SHA512 518e456aa71f8605c463c0054ea95f0b8c140cdc33e4edccafcaaa469d7b5b4e506959c7e00c8420744b1b8f0f3be319db1e328933f3b20bca58bb7b362b97a6

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Information.txt

MD5 7f0b1d5188942e8f94433027fa37bdf4
SHA1 941e7ec2fc5de0b9db125283d6c0cb03949f4f73
SHA256 3a747ae83b5f0053e027928075c9dd7d44337d905468d761e632cca4adb530e6
SHA512 e6dc06a104e169cb26f174267e857907e65546c7dfce04350e9c78f54e78ae6e27c11ebb7849ef8d66fe103c430a23b6a8b19297af3ae6dc9c8ae5b3c71f6e7f

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Information.txt

MD5 767ab2695db399bf999134ba7fe8d148
SHA1 62387bd21c9022d30b90d071eb86d9cdd9752945
SHA256 d700b72e860d674d9ad7ffc80f356b4a9a8f22efd632e3dd470e887d01717a26
SHA512 43054df74455ff3157e2f53332316e53dc2342cc798faa010edb9e7f58934614e9784b1cd8a91bfd30197db99b81836a3f6fb671656ce2dbc8b26d817f6b85b2

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\files_\system_info.txt

MD5 7629b76fd5c312a95da079b0130ae85f
SHA1 bad1fb99aaac249d7b1bf7eb333d9d1ea19fb5ff
SHA256 da972fc4a4294fd6a25a882101c60b0a7586d6db0e8f6540f2236a3b20d7ceba
SHA512 105a88e742f4f66c2682d107621f6b58d794354599f272395ba3dfe47e05fbfb00a2dd226da7e54a0cc218d11c02028be11706e79c27f01eb075df07492a5e1e

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\files_\system_info.txt

MD5 53541eca39efe99ee8348291df738a31
SHA1 131054870726aa7370ab1e05bb3387a33d052753
SHA256 a7e10cc4a6a05e91d61d818fc500a568b049d411d0d3611f0f65e2ded71ea7c7
SHA512 c64c5283223bd14d0a25c7cd87660b327d6195dae3a959cf34892e669f7791867179a7feae4b1137902e19abd855cc1e2da488072c063d2b72ebb5274f8ee61f

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\files_\system_info.txt

MD5 37d0fa4e08fb5d66f2aa24539f442b79
SHA1 e5ace3d09fc333890576fbc54e8ed930fa912e16
SHA256 a62c65ecd7588bb3733bc932a460d7aa9f9177dd976f579e39bfdc8951cf1669
SHA512 adeed88eef103eb7206c543bcb3117e2e66f59a62fa489e27c95424f946aeb13d545bf6c04faa77bd3c71bdb5f4d51334265f29ca8656665b3153d8d4b90089c

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Screen_Desktop.jpeg

MD5 fed2ed01d9ee9e546355538a52c88818
SHA1 3dfb6c36dff1739afac3d5b5b8626e915e6c8943
SHA256 d6141cb386559d412f4ba4edd548b68a91c620780706123ede3d567100c4f606
SHA512 7205b6ea35e457ad013e0134b54b04c2da0c078649fc3969eac291ddf35ae2be171102524b6141b386c0c3662f8ecfb6975ee73406fe668bfad589c02e7cc9fd

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Files\SyncClear.txt

MD5 5ed2a435c820386b08341d1ced743040
SHA1 c7f57980c078e9510d5cb9209d550eee255db9ab
SHA256 1f791e44b7addd8cc4ef751adad2692432632c6b90a9de814b36e6f2a0824297
SHA512 bc4d94436ddbbf93bed5ceec80863f12d856b0db94d5eaef1b314aadbfd01665decef9c0a35a6f4712e399c36d05dca66c400323be4c8d29c6db8dc2707a6f79

memory/2900-226-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/2900-230-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/2900-229-0x0000000002E40000-0x0000000002F40000-memory.dmp

memory/2900-232-0x0000000002E20000-0x0000000002E21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Vbr72zU\r8s0Ku2DBT.zip

MD5 ef2d5369d5fd5edcb6953b3c23d1627b
SHA1 edbe80bd6c1662c86872fe8fc324218266141273
SHA256 0987fd508a663c86089e6745fccc800da224edb741e9d31a10cce2fddcfb9e71
SHA512 a874f24972bab1ec4ea41d1a8f6250017cedf6acb9e6ba15e136a1a8b0bc0856702ef5f97551fdd234ad1c7d877921e4c53b46df16f153abc09821b41edb7182

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 11:24

Reported

2024-01-10 11:09

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe

"C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 haiezf32.top udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 haiezf32.top udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 haiezf32.top udp
US 8.8.8.8:53 haiezf32.top udp
US 8.8.8.8:53 haiezf32.top udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 haiezf32.top udp
US 8.8.8.8:53 haiezf32.top udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 haiezf32.top udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 haiezf32.top udp
US 8.8.8.8:53 haiezf32.top udp
NL 20.103.156.88:443 tcp
NL 20.103.156.88:443 tcp
NL 20.103.156.88:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 haiezf32.top udp

Files

memory/3212-2-0x0000000004900000-0x00000000049A0000-memory.dmp

memory/3212-1-0x0000000002F60000-0x0000000003060000-memory.dmp

memory/3212-3-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/3212-208-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/3212-213-0x0000000004900000-0x00000000049A0000-memory.dmp

memory/3212-212-0x0000000002F60000-0x0000000003060000-memory.dmp