Malware Analysis Report

2024-10-23 17:14

Sample ID 240110-zsfx8ahba4
Target 519a5e8618177c423039f4e5c47aa27a
SHA256 656dd9e677ea4da1892f14f0b38ca7d989d6d8a07d1ce3d1675cf2ff1b030653
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

656dd9e677ea4da1892f14f0b38ca7d989d6d8a07d1ce3d1675cf2ff1b030653

Threat Level: Known bad

The file 519a5e8618177c423039f4e5c47aa27a was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-10 20:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-10 20:58

Reported

2024-01-10 21:01

Platform

win7-20231215-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe

"C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lyssen62.top udp

Files

memory/812-2-0x0000000000310000-0x00000000003B0000-memory.dmp

memory/812-1-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/812-3-0x0000000000400000-0x000000000095A000-memory.dmp

memory/812-4-0x00000000009D0000-0x00000000009D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zSuWGMr\_Files\_Information.txt

MD5 8088e3ab5c16cd024183761df3806864
SHA1 8a07a9e5169d2fbd4ed51f2c8171ae654d9d7f00
SHA256 93d0ea13a5a5c50bed7df667ab4b2323be9c34b438b9fe26e0893bfd759b81ee
SHA512 70223e48a848b0fd38f60da55aa41f25a164896dc24220073d0bfc6f3fca349c65ed0c0b885c3fe10fad3ff37be9f05f53ba70ef10f627c8b611947472937c06

C:\Users\Admin\AppData\Local\Temp\zSuWGMr\_Files\_Screen_Desktop.jpeg

MD5 440038e6bce3174305c6efa21805ad70
SHA1 28cb2e7b692c8adf2abcb5cb3d00569c069144d3
SHA256 fece7af270540e1b057ce3456afc15f4e1c2edf550c19c1e181632b16b4f9365
SHA512 981d48e1fa116cb279c080110a22faa671000ad12599cc475422e4dd320a8b76acfa11828791448cdf52266efdfa24c8ab0ff9aff464dcd31ef6baa81660b7fa

C:\Users\Admin\AppData\Local\Temp\zSuWGMr\files_\system_info.txt

MD5 657e58c60df206ec33cf1c86c83364fb
SHA1 42f446ae4836c45ed15e8f2b1def8069caed89f3
SHA256 9ea8cec4039e06e586d39deb1e74e3ebb46713daa422ee010e8ba7b287a41b0d
SHA512 917c30bd2d066a350979774633f7fa9c45862f1da6e2fdcf394782d2aee30f86202aa3dca12201c0dea02cc6b841359fe2275151b018ed8436226d5f69858b20

memory/812-221-0x0000000000400000-0x000000000095A000-memory.dmp

memory/812-223-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/812-225-0x0000000000310000-0x00000000003B0000-memory.dmp

memory/812-227-0x00000000009D0000-0x00000000009D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zSuWGMr\JSZmQrsdDXMA6i.zip

MD5 ad098d5722726ff474bb1dccf5e9988a
SHA1 475babb1aeda23c4eaa3bb6445d7818bee4c1db8
SHA256 f3f619086b8fda738c699b0f78c0753735a1b364784dd92627ee9f353605ba47
SHA512 1c5cf6d14e1e05be8d280767b0e8bee7d62c935f04c03ae843818bc13f6071c3588d46f6c9db48656d08deece5b3d9582957272ca04a3e4d020835c34ba37f16

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-10 20:58

Reported

2024-01-10 21:01

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe

"C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 195.165.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 135.5.97.104.in-addr.arpa udp
US 8.8.8.8:53 155.57.22.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 152.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 lyssen62.top udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.210:80 tcp
US 8.8.8.8:53 morwaf06.top udp
US 8.8.8.8:53 morwaf06.top udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 morwaf06.top udp
US 8.8.8.8:53 morwaf06.top udp
GB 104.77.160.23:80 tcp
GB 104.77.160.23:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 104.77.160.23:80 tcp
GB 104.77.160.23:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.178:80 tcp
FR 2.22.57.155:80 tcp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp

Files

memory/4428-1-0x0000000000B50000-0x0000000000C50000-memory.dmp

memory/4428-2-0x0000000000960000-0x0000000000A00000-memory.dmp

memory/4428-3-0x0000000000400000-0x000000000095A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Screen_Desktop.jpeg

MD5 6b0e49f33245e9d9cd0c4b49354f94f6
SHA1 99c16e6cb99b0faaaec9a66854b37b3973c348d6
SHA256 9923568ef710aa556b4809854ca04290e318babc0303793f5141a2b40d4d2b66
SHA512 9fa2010fd49f1a04c59b75e9eb4627ff67906dc666737e629a20f725e9fd13e0b29adc94161eea4844eb22e53b186851d8a48c3cf1fc1b62a6890a629e73d2b8

C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Information.txt

MD5 e0ec0e78a1626d45585cb5cd6e274952
SHA1 5d68d8beddcb481ae55a9780fb0561faa0be66b1
SHA256 26c5b31b171c970ccc4b397ad79f73f43221d1de341b4f305c1412b49d846bed
SHA512 fc578f46eae45d85c702a1b86c258d1982865fb9bbfe5f1996c1d7210631d5f9e8e21d2a2d383581a04277c2f422066a9cf20770b74c1e91db9bc712629a64b7

C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Information.txt

MD5 b7dd22a373ad35516b6fb4117e5c8a3f
SHA1 d8d9a799b20348eccbc64dc1b5851cf2c42107a1
SHA256 af3895f7c5c56d3e5d575bfdfaadfeca86fdaedb1d784c73c7108754968b7fce
SHA512 aef8b5a0ff2c9a79c3733ab63c8846f935b7ffc6f2a4780950eed0b46c6b2d266c12b590ae6427768ee5f9be2df9f7c7b3206006c921d0a62c173e34183e2349

C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt

MD5 9d4d0ac0112d201e8659529b82eb7337
SHA1 0235f852cff10691f07ab853736e9226d6fe393f
SHA256 866d4ed183dc704f3068fad07a5703c79c84c3519bb379e706f7ab16678a2a12
SHA512 4fb10f904af9b3830c11d21f2479a0818e6161ac8543a37bc631e56c1ab6341e368c3c244f18b58b4beb981fbf1930af665111abb39e1fdf154833e8d17e4a60

C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt

MD5 e11a7b251671edc1a5170b7d5cc1a38f
SHA1 351df1be8644cfd3da6a44e667cb4906fe5036fa
SHA256 11d689b3cc2ae592d6494d29a762d3a187722fa6c62ebfc377e359a173d3b66c
SHA512 26c62370ebaef92dc7626b0e8e3d41f5ba35de95390ae9d1b4c5f284ce56ab516361e9b198b479eca4dc2004aa973bb87e04a6de48ff6b6ef7aa49ca0cb882c8

C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt

MD5 a6f16e9cb322be17d3555b014b698d22
SHA1 c2e4bf475a10763614f0df35713072d238f7078b
SHA256 ca8aebdd8fd24c2cbe0db5a74073f56096fff2ccacc5e31db069f07b215277e3
SHA512 bcaffc051d24ef3df23780608bd3a51372867b6e2bc8d7baddfbfb8529f9b26720e7af71bb7558a5c06a8cdbfaf0cce1d0ccaf0c364ac90081df1a3decb7e61a

memory/4428-208-0x0000000000400000-0x000000000095A000-memory.dmp

memory/4428-211-0x0000000000B50000-0x0000000000C50000-memory.dmp

memory/4428-212-0x0000000000960000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\yVf6un6xKoVBMf.zip

MD5 9764767a43064f47283e34f730be9297
SHA1 444d3b9374a230e44753b83554b62556990ab6af
SHA256 40cc871c6391f8c302b50b77390eb07263d56b83691cca478dab22fd06a62aa3
SHA512 314588f2b4dc599bcf95e1f3466c933fae1f36109e91114fb35f5ecff5d94d2ee9327ba8ff8459f145dd254503c9c3c036343813ffa963e6681de4c159def65a

C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\bFogcARCIrQ.zip

MD5 031178d4340d07f11caba3aad80b8935
SHA1 e20494e700ed5f17f653408a65cdc02c162aeb6c
SHA256 289e8550bd31901c338555d51b5b123c4cf4cac0eb40f2ed4fd14cc67b73d9f2
SHA512 cd4954a1e4e934973e198ba45b8354a93bc67bd33eabf9e42b18487a4a2e9c35a247ab5d592d9b822baec4ad790871341e421583fc68d4d6b126cd85ccfbd476