Malware Analysis Report

2024-10-23 17:14

Sample ID 240109-xn75sshhd6
Target eace6cd84265058817841921eb59d13a.exe
SHA256 1c0e9c19952db42f2e8b9b8c158e1d761e1d58a548eda1b09984a510ed9c7541
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c0e9c19952db42f2e8b9b8c158e1d761e1d58a548eda1b09984a510ed9c7541

Threat Level: Known bad

The file eace6cd84265058817841921eb59d13a.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-09 19:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-09 19:01

Reported

2024-01-09 19:03

Platform

win7-20231129-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe

"C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ewaumk24.top udp
US 8.8.8.8:53 morzup02.top udp

Files

memory/2732-2-0x0000000000300000-0x00000000003A0000-memory.dmp

memory/2732-3-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2732-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2732-4-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2732-222-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2732-224-0x0000000000300000-0x00000000003A0000-memory.dmp

memory/2732-226-0x00000000005A0000-0x00000000006A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iTVcBtI\1bmrwfBkduO1K.zip

MD5 acc56d4bafdaa22903a2f89642a4dac4
SHA1 03a32325e7fb2a3962d9a7ff85877931af969aa8
SHA256 b308197147bb70e7ca305f9577455ab93ffa7a6f3a4de1974ab3945b140007da
SHA512 35c691e0dd67cea7f7d412059bba8383d1a89e99b1d1763093d2224ff92f5b49a4be0206107eb146e424fab8006fd4121ee93d2fa95e8440f923d4e02b1ed56e

memory/2732-228-0x0000000000590000-0x0000000000591000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-09 19:01

Reported

2024-01-09 19:04

Platform

win10v2004-20231215-en

Max time kernel

158s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe

"C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ewaumk24.top udp
US 8.8.8.8:53 ewaumk24.top udp
US 8.8.8.8:53 ewaumk24.top udp
US 8.8.8.8:53 ewaumk24.top udp
US 8.8.8.8:53 ewaumk24.top udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ewaumk24.top udp

Files

memory/3752-1-0x0000000000850000-0x0000000000950000-memory.dmp

memory/3752-2-0x00000000020F0000-0x0000000002190000-memory.dmp

memory/3752-3-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/3752-4-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/3752-5-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/3752-6-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/3752-7-0x0000000000850000-0x0000000000950000-memory.dmp

memory/3752-8-0x00000000020F0000-0x0000000002190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\_Files\_Information.txt

MD5 eb46e22df190419f833b99ac6675779d
SHA1 af5fb73f4b2b52c5f94bd3c62b8ee2bfbc8bd1cd
SHA256 4e7ad5447b2188d37d4459186d392805c06144b0ab5fed958629e31dbbbd3ffa
SHA512 5df3c6d3fcc910acff6265ee68554884543e80886b4f366498c268a554385d19daea22f4580470b324306c06b34706686b7ea996926beef3827fe5de9d48974c

C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\_Files\_Information.txt

MD5 1d672df726b06220fd7bac4c8840bdfb
SHA1 71a578615f193173e2ad6bd52eeac297b546a5bf
SHA256 cf50ef4a2b879dfa8848a558d44618dc605236629aa1e4f1c6a77ccc706d5e28
SHA512 161def5f36af01cdaa3b24ac5588d384e48ccb59866c71aaa49258ddf383cd7efadf8e1821917f44db22fb4c3cd0b998e54ad7ec37b6212dbe176493a700cc50

C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\_Files\_Information.txt

MD5 4d4f3ea884cf16a44bf2fb9381533330
SHA1 044fb511d5796c88e44936f86790b51100f0b747
SHA256 2fc4d58f9c68d9e1788588e3597085bf6815688812b0c8b289516cc043a374a4
SHA512 347daae8d155295a76ee26585a8db5802967bc87b3fa36407cd3f6e8b9218f8b71cdbd4ce62f3cd10b46b4280e3576e05b967d9e466848a975b7bd9de56e7743

C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\_Files\_Screen_Desktop.jpeg

MD5 6020ae6a78c026255896903896e41915
SHA1 8150f91a97da34afd6f2b07522bdd46d57576e05
SHA256 b2ecad1518849cf10e5387c31ec06df01c4e947c68be265ea3c8cbfbaa45e297
SHA512 f7b052f7302e0e6fd0ae1b40515f4c21ff3d896161cbfae3c533740c3eeae61318d469d78be09171ec125ad59a7737a9ff6f723da1c873a9fa1d87fa966a769d

C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\files_\system_info.txt

MD5 dfb9cd1c06fcd881d1ff965022d87759
SHA1 890e18595754330da8666a810d768a9325520c07
SHA256 75b5975347d08889fe3cf7cf9f759d954a3b0dcaf86165111ce5fbe5a7c718c8
SHA512 36a4c5300cfe627375873dedda7ffc13e8cb9999b67d7d91a6adf04f08bbc3fa50af34c025eddb6ef06d947ad2bd64abfa05debec6c0a879af255c81e99dc5e9

memory/3752-218-0x0000000000400000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\LhDynhtVNgOznb.zip

MD5 93967b40ff70c65b6c07ca32aa057e96
SHA1 4da46c80aeb245b6ec95d1f338d5891a77798411
SHA256 f7fdedb4e9425e834885e5ef677a40c194091f93e4a1fbb70391dfb2a7d0508c
SHA512 953e08f1f51eba35ea8c9f36be6b0c18f41dcc571d021f80afde97ed7702142ee1a30792395ca5418abbf1b5aee80b6c3f6da0fe2323327b51d29d7a9321f003