Analysis Overview
SHA256
0491af1e13f4b5d1725e5320e15d5aa0470d726418da43c6d08706d2f978d5ab
Threat Level: Known bad
The file 3436bc5cb6d4783a01dbfac2504343cb was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 11:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 11:24
Reported
2024-01-10 11:09
Platform
win7-20231215-en
Max time kernel
147s
Max time network
160s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe
"C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | haiezf32.top | udp |
Files
memory/2900-1-0x0000000002E40000-0x0000000002F40000-memory.dmp
memory/2900-2-0x0000000000220000-0x00000000002C0000-memory.dmp
memory/2900-3-0x0000000000400000-0x0000000002CC3000-memory.dmp
memory/2900-4-0x0000000002E20000-0x0000000002E21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Information.txt
| MD5 | a02048cb499af28c1981d35b6078a55f |
| SHA1 | 9c8185daf1bb3dce860aaf2d0cec28d3ade62777 |
| SHA256 | a0d8213e2401c9874081b86f8f816f6d5ce381ee16a479b2a02c729438ff8ed6 |
| SHA512 | 35c3974796c9076e22463943d9b0d6afd1cd36c23adbb65ba3db66ef04baf8015cb205421a52fefd11c53932d9468450784dae34179dd62388fdcc6fbff96771 |
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Information.txt
| MD5 | 51e79954241a81f0287a270afcd69daf |
| SHA1 | e3e5e9475d8922570693605a29cccb5f2ecfe377 |
| SHA256 | c6c3b7352125967403fd3fea3b851bf02c0b2070ad397003f3342c05dfaae1f1 |
| SHA512 | 518e456aa71f8605c463c0054ea95f0b8c140cdc33e4edccafcaaa469d7b5b4e506959c7e00c8420744b1b8f0f3be319db1e328933f3b20bca58bb7b362b97a6 |
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Information.txt
| MD5 | 7f0b1d5188942e8f94433027fa37bdf4 |
| SHA1 | 941e7ec2fc5de0b9db125283d6c0cb03949f4f73 |
| SHA256 | 3a747ae83b5f0053e027928075c9dd7d44337d905468d761e632cca4adb530e6 |
| SHA512 | e6dc06a104e169cb26f174267e857907e65546c7dfce04350e9c78f54e78ae6e27c11ebb7849ef8d66fe103c430a23b6a8b19297af3ae6dc9c8ae5b3c71f6e7f |
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Information.txt
| MD5 | 767ab2695db399bf999134ba7fe8d148 |
| SHA1 | 62387bd21c9022d30b90d071eb86d9cdd9752945 |
| SHA256 | d700b72e860d674d9ad7ffc80f356b4a9a8f22efd632e3dd470e887d01717a26 |
| SHA512 | 43054df74455ff3157e2f53332316e53dc2342cc798faa010edb9e7f58934614e9784b1cd8a91bfd30197db99b81836a3f6fb671656ce2dbc8b26d817f6b85b2 |
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\files_\system_info.txt
| MD5 | 7629b76fd5c312a95da079b0130ae85f |
| SHA1 | bad1fb99aaac249d7b1bf7eb333d9d1ea19fb5ff |
| SHA256 | da972fc4a4294fd6a25a882101c60b0a7586d6db0e8f6540f2236a3b20d7ceba |
| SHA512 | 105a88e742f4f66c2682d107621f6b58d794354599f272395ba3dfe47e05fbfb00a2dd226da7e54a0cc218d11c02028be11706e79c27f01eb075df07492a5e1e |
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\files_\system_info.txt
| MD5 | 53541eca39efe99ee8348291df738a31 |
| SHA1 | 131054870726aa7370ab1e05bb3387a33d052753 |
| SHA256 | a7e10cc4a6a05e91d61d818fc500a568b049d411d0d3611f0f65e2ded71ea7c7 |
| SHA512 | c64c5283223bd14d0a25c7cd87660b327d6195dae3a959cf34892e669f7791867179a7feae4b1137902e19abd855cc1e2da488072c063d2b72ebb5274f8ee61f |
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\files_\system_info.txt
| MD5 | 37d0fa4e08fb5d66f2aa24539f442b79 |
| SHA1 | e5ace3d09fc333890576fbc54e8ed930fa912e16 |
| SHA256 | a62c65ecd7588bb3733bc932a460d7aa9f9177dd976f579e39bfdc8951cf1669 |
| SHA512 | adeed88eef103eb7206c543bcb3117e2e66f59a62fa489e27c95424f946aeb13d545bf6c04faa77bd3c71bdb5f4d51334265f29ca8656665b3153d8d4b90089c |
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Screen_Desktop.jpeg
| MD5 | fed2ed01d9ee9e546355538a52c88818 |
| SHA1 | 3dfb6c36dff1739afac3d5b5b8626e915e6c8943 |
| SHA256 | d6141cb386559d412f4ba4edd548b68a91c620780706123ede3d567100c4f606 |
| SHA512 | 7205b6ea35e457ad013e0134b54b04c2da0c078649fc3969eac291ddf35ae2be171102524b6141b386c0c3662f8ecfb6975ee73406fe668bfad589c02e7cc9fd |
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\_Files\_Files\SyncClear.txt
| MD5 | 5ed2a435c820386b08341d1ced743040 |
| SHA1 | c7f57980c078e9510d5cb9209d550eee255db9ab |
| SHA256 | 1f791e44b7addd8cc4ef751adad2692432632c6b90a9de814b36e6f2a0824297 |
| SHA512 | bc4d94436ddbbf93bed5ceec80863f12d856b0db94d5eaef1b314aadbfd01665decef9c0a35a6f4712e399c36d05dca66c400323be4c8d29c6db8dc2707a6f79 |
memory/2900-226-0x0000000000400000-0x0000000002CC3000-memory.dmp
memory/2900-230-0x0000000000220000-0x00000000002C0000-memory.dmp
memory/2900-229-0x0000000002E40000-0x0000000002F40000-memory.dmp
memory/2900-232-0x0000000002E20000-0x0000000002E21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Vbr72zU\r8s0Ku2DBT.zip
| MD5 | ef2d5369d5fd5edcb6953b3c23d1627b |
| SHA1 | edbe80bd6c1662c86872fe8fc324218266141273 |
| SHA256 | 0987fd508a663c86089e6745fccc800da224edb741e9d31a10cce2fddcfb9e71 |
| SHA512 | a874f24972bab1ec4ea41d1a8f6250017cedf6acb9e6ba15e136a1a8b0bc0856702ef5f97551fdd234ad1c7d877921e4c53b46df16f153abc09821b41edb7182 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 11:24
Reported
2024-01-10 11:09
Platform
win10v2004-20231222-en
Max time kernel
3s
Max time network
115s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe
"C:\Users\Admin\AppData\Local\Temp\3436bc5cb6d4783a01dbfac2504343cb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| US | 8.8.8.8:53 | haiezf32.top | udp |
| NL | 20.103.156.88:443 | tcp | |
| NL | 20.103.156.88:443 | tcp | |
| NL | 20.103.156.88:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | haiezf32.top | udp |
Files
memory/3212-2-0x0000000004900000-0x00000000049A0000-memory.dmp
memory/3212-1-0x0000000002F60000-0x0000000003060000-memory.dmp
memory/3212-3-0x0000000000400000-0x0000000002CC3000-memory.dmp
memory/3212-208-0x0000000000400000-0x0000000002CC3000-memory.dmp
memory/3212-213-0x0000000004900000-0x00000000049A0000-memory.dmp
memory/3212-212-0x0000000002F60000-0x0000000003060000-memory.dmp