Malware Analysis Report

2024-10-23 17:14

Sample ID 240111-313czaahgj
Target 54efb1309d76e87c2185b576e3783247
SHA256 5de12d55a698805ec98ada5964711f226fd1d4a424daf7062f178dbf52702cd5
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5de12d55a698805ec98ada5964711f226fd1d4a424daf7062f178dbf52702cd5

Threat Level: Known bad

The file 54efb1309d76e87c2185b576e3783247 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot payload

CryptBot

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-11 23:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-11 23:59

Reported

2024-01-12 00:02

Platform

win7-20231215-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe

"C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 morbyn04.top udp

Files

memory/1848-1-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/1848-2-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/1848-3-0x0000000000400000-0x000000000095B000-memory.dmp

memory/1848-4-0x0000000000A60000-0x0000000000A61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\_Files\_Information.txt

MD5 594f3b87255a76ba88ccfa12d0834aa2
SHA1 69087231614e61c3b4b68152c885ab361fe8aacd
SHA256 ac08a8aaa7f182f6152cdadfae1b77e59c7b503dd8c3ce58041ff41f1afbfa6b
SHA512 6920905fe7cafa1fb5babb7c1a9dea57e9377f8db1409735dab6b50a41c3472e9de9a48eb8cab017ce6b458e6c6976197e1524813d0430a5796ea754f6df5a9c

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\_Files\_Information.txt

MD5 5a72c2290489557fed02e6ab43514aa1
SHA1 0caa5c6944faf645cebda7c92ed06e85a1ec124a
SHA256 d95a887de090be139cebfd31bf8835bdcd8f35a8d5463ceb6e6f505098caed36
SHA512 8919983e9c6bd2e2eee43ebd378a80d5556850f790bac3815ce903196ca353059987b31226f1bf291484a3176f1d84604fc1ff24e6498d764a99d2e6d8994f94

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\_Files\_Information.txt

MD5 8889337df1c865d5a47cb6d3c614245d
SHA1 bf209396df2f4648a1339b6bfd10792f97f9f783
SHA256 32abb85a21ef29b0f14c262fb8e469645c699b8a058e50cdc975abac54b02813
SHA512 85eaec09ccb4c2e7763529ff3b266a8d2c40ca91b15d00115f640144206e865f14f76c2e74230b4b51a7d72d3d03611b96acc1f2f956d179da832c9fd70760cb

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\_Files\_Information.txt

MD5 173d05d78a0fc403968e1faa107e0862
SHA1 52ecba44fb5163e249e1eb3f903dcad70332378b
SHA256 745a01c27be3f8490055bf9af36137d3ea410be9ff2cfcf2a2ebbbc62d83e5f9
SHA512 bc225bb8d3e5ec79bafadef234222a4a6d4c415db5da6842f33ea558982b49271f3b295fdefdcdd5c80c2803dfe87bac44fb6e14efd84274a749f89f2a2ecf67

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\files_\system_info.txt

MD5 3267eacc48e6cb55476a9f4eb5edc9bc
SHA1 bcb6bb74dcdb0105bf4f4586183f182db65ba25d
SHA256 baa9a2221f0375879173d66ee45383a14396a7dce0ff010ee99ee40b3d9c4b3b
SHA512 51004b3efaa1ab62ce95a9671510f9e39a0fab588b7276c4cbb535bcf8f79528816c6052489ef319553f85587d953058986f7ff0a1f7af8041b957c338f6f9c7

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\files_\system_info.txt

MD5 6a25fd066cb6f10adfd4cfb3f5a0dcf7
SHA1 f5ceb08c5e25a85a31609fa8592b456a5b48e201
SHA256 883ea0e68d64f097cfb92dedf419731c8757758f97477a1822e833ca5526374e
SHA512 8b705221080ddf9bfc460f03bdea24b474d3fb47a80457210283274517361dbc6ebd6bb934d1982bfc3525a3811dae76fc4879e74385e562022656e02edfc25b

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\files_\system_info.txt

MD5 667ddc676a5884778779abc5a85f6cb1
SHA1 2b3eabe3d908fc9dcc4276d34ad172fdb5eca1e3
SHA256 e1931935bd25a88a056a088e3f1b49b209601bca6ceae78ad60b6d08f915b400
SHA512 7c8f0d80d9e638e62f4b9d79c0af358bff55c6fc5e7b349ab46956cb04ac39609f5cb3d8ea094d8b191a2b4c6c57b05449e97b705a431dfda6e728815b805e56

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\files_\system_info.txt

MD5 b0b4eb7a0bf955d61cce33f968beda8b
SHA1 690a575b6335c9cbd6d73439be62bc670da472f5
SHA256 1439a982a3ac809d7f76bdd1e17fefdd7edb07936d2d08cf067574d91b0f1f54
SHA512 2715a4ca719b73651989f98d2ea7c3f7b2284425a1e0274c2dfd29dd6ff08f570f0aa649406af50e36662690bc25e1f8a921092750ddd8f27dbdec88d8f27c72

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\_Files\_Screen_Desktop.jpeg

MD5 d3971f316f416b9f26e63474465356f5
SHA1 e74b374f15804b2b1fa1c95fecc097d535d82f2a
SHA256 499519c173f5b0d3743656b26b9a257d66d92d614722ec5677d92139a51280a5
SHA512 44250211f742296395794c57f0b6538719f1c9fe9bb6705374c6f66cccc2a61c8a865254720e7d30d672fbedbacd9ca58f9db23bf0654853a55a4dfcdcc115f8

memory/1848-222-0x0000000000400000-0x000000000095B000-memory.dmp

memory/1848-225-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/1848-226-0x0000000000220000-0x00000000002C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z7wjuwD\pKVjsevjuJf.zip

MD5 eb7cf715d7c4b6342ef5dec4063f4d45
SHA1 a1cc6cc6b01a1cf196cc57a9d3d34448a523a015
SHA256 040318799fd96cf114543f9f5553c5540c8bc3901df7bc408b2534d423d07f05
SHA512 ded6aa99a20404e0e9036386558ffc99c5e0fd2401dda85792d3d610a3245f5ca032ddd24860f09c34cc972c35aebde1a6301800cdf706da62f796a4fee5bae5

memory/1848-228-0x0000000000A60000-0x0000000000A61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-11 23:59

Reported

2024-01-12 00:02

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe

"C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 99.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
GB 88.221.134.137:80 tcp

Files

memory/3776-1-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

memory/3776-2-0x0000000000BE0000-0x0000000000C80000-memory.dmp

memory/3776-3-0x0000000000400000-0x000000000095B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEdtggd\_Files\_Information.txt

MD5 833b5534a5bbc77385b7e8be9c75090b
SHA1 7322d42249cd7794d2fb5e6747439728b80c4018
SHA256 68e63977593748eccaf4ca241a2bf8f97217cffa10d9debfe67291794f18707b
SHA512 0ed46b4e67a5e2dabc939f175cdb8e89988ef6786d5091ff2037583c95b78cae818b15078b572295e82e9345f48437047ad95da183ca639ec76bfa65b36df6ea

C:\Users\Admin\AppData\Local\Temp\aEdtggd\_Files\_Information.txt

MD5 f3e6b2babbe893de5ada56f9d31bdad3
SHA1 31554baaf84954a6191718f0e69893aee45025f3
SHA256 f26792cc37647df2c6c0d113d6d088059318042356cbef7547a34542cbf43935
SHA512 e08d5e2c42cf6d0eb6c5be2527de9c064c13b3d999bf19bd87d3d6cd9dc1185e4fd7c2390c57f02f1f50282544798de799532214cf4e42be7e0214eeccdd03a0

C:\Users\Admin\AppData\Local\Temp\aEdtggd\_Files\_Screen_Desktop.jpeg

MD5 41d9792bcdec504fbf2f6a0e5125bb59
SHA1 cd78db76b317281785e835a97939029fc9f19c5d
SHA256 bd6e4cc51ef7c89ceb24f2bb5b0aaf02976f20b5f64bab7b7e66819e34750a92
SHA512 939311a9be8634f7326e2fb775260f7afa9ee37021b277c7aee5d846feed7c22410ffb7a3a81c20a38e24de5cd50b62d1cadc9f1a69ca4e3680736cff6009547

C:\Users\Admin\AppData\Local\Temp\aEdtggd\files_\system_info.txt

MD5 4a57a0b9fcb6a138c5a9235a61819f36
SHA1 fefc08fb0edcfbcc2486ee7bffe616558721563d
SHA256 143f1f16d7cf5d326eb65f5179ab0c68df4e1bc83a127b7842618a9479d23ae9
SHA512 79b60fc47dbd86d2e3f74a12e836b35401edd4e6047659c0cabeb78da93cf21f9b872bd64324b943318e1f57b3071a7c38b7923896deac909d1fddc5d292ce5e

C:\Users\Admin\AppData\Local\Temp\aEdtggd\files_\system_info.txt

MD5 6a2a10d01c1bc8c28e2e349ba29534eb
SHA1 8fe587d7b43b9aa4c64d2d8a7be41c4b37bc5ce1
SHA256 8acee47ea45ad7a263452c80ad37d5e24c1a2699d38cca56021015c4a80457bc
SHA512 44f7d6845095d798fb8fdd06ca8b9b9a04c8c4adff165073656d459d3088972a816ed3a66c1d4d8d3014d74045eec0a0ded334789f76f2b8610e6ce114bac0e6

memory/3776-208-0x0000000000400000-0x000000000095B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEdtggd\RlPb3nYU8fLsF.zip

MD5 5c0acdcd726ad68245d9b46bc4fe2b99
SHA1 27efb2dd928c6933c135882f1939cbf0797981f9
SHA256 2c100fe6071883399ab74d7e6ed59e7c0dc9688f8349d664a1396887ba8595d1
SHA512 1db21cc302c823aa6974e369d08694871662e33860d9d2ac92e079208065cc10d0faec98997e622a437fd5156c764fe08a01e17f684eab478bc1b62e26cb7a31

memory/3776-212-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

memory/3776-213-0x0000000000BE0000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEdtggd\EyjeffWr77FD.zip

MD5 1f6d938bf2cafec7ab782d0e82f6de4c
SHA1 b8f00e147554f7bab6884414c463ab7d81c7b411
SHA256 50f33d83f450e1344d7608e0c236f7156bae3468abdb51cb1da85800237f01b1
SHA512 a52cba4ee96337e0e2bfdf36b4b6a2fab7d9b27b349d397d66dce083c03e3d9cd6973a6d88172b93db1ae98f73c4268a210392aca7ad4a82849bb1f021955b04