Analysis Overview
SHA256
0ff144c6195170469fe4c678d394adf47a4d7b7e0c5a00d7282d284fe973bcb6
Threat Level: Known bad
The file 52f166f6aeb75858dc1b2eddd57874f8 was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-11 07:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-11 07:45
Reported
2024-01-11 07:48
Platform
win7-20231215-en
Max time kernel
157s
Max time network
165s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe
"C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 8.8.8.8:53 | moruat06.top | udp |
Files
memory/2340-1-0x00000000033B0000-0x00000000034B0000-memory.dmp
memory/2340-2-0x0000000000330000-0x00000000003D0000-memory.dmp
memory/2340-3-0x0000000000400000-0x00000000032A7000-memory.dmp
memory/2340-4-0x00000000033A0000-0x00000000033A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Information.txt
| MD5 | 93c8801f441afe0adb6ebe4cd2443a72 |
| SHA1 | 1f0041a2a0722b41a067e6310ad5948510d26aba |
| SHA256 | 4580d30deecbbdd340ce67d24ffe081eff82cafc3511c849e8b2e6f9930c8db5 |
| SHA512 | 5cb498683993665be7ee9e16131f6b1efa2c529d0759f7be22069b1fddb5329e2c51ff03930582a1712a324aee07c6e8fc8ff83817173148d6396e3dcd6c78f2 |
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Information.txt
| MD5 | 8bf63cc24300bfa9467e39f041b240ca |
| SHA1 | 10c13215f5d13bbf4899deab718a96f9f46c3ee6 |
| SHA256 | c6e6fbb40817550da70f5ab2cf480c772761c44460e5d5b4a2e2506a282eea91 |
| SHA512 | 32762d1a3b6bcb4d8b6a876a8d6d90327720569b0fe2e794ca26be8471467b18ad4ee10b3fbb57e836310a65ab56d941c747df05e014c0d8df8a0b1986f69132 |
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Information.txt
| MD5 | 4d146e2420cc6ba0976027b3d61fde5b |
| SHA1 | 6f47e64be2769f7d77371d2c1685a25869b490b7 |
| SHA256 | cac2b1a98a16307817c70ea82b88dbeb4e4aa3f2524d3f1bf8e1d69d722f7c83 |
| SHA512 | 241bfb25ed5948a2322501666486ff85c97a1521cbfed1e1cb08456bcb32d52f7c89918583da0a4085e8a77c5a4b61db67dd107ec02d0f0d08dc6ca7e4f1ba9c |
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Information.txt
| MD5 | 02aba0908b47df6f0344dbf2a74b8f1e |
| SHA1 | 8592b2bf4ab916cc1cecf0a4b37f83184a8aaea9 |
| SHA256 | bfe7d0abe0a49929fe25a3b60c1b18857c53da6720803ffc5c5128a48f368c09 |
| SHA512 | 4c4ff09099b4c0c933fdf0c687def18978db75653aca4ee39b75d23fa54a9e153243a8ff4b44aa98ba9abcc17c46103bd827952581097db544cc5215e87fd419 |
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\files_\system_info.txt
| MD5 | 4d44becd4ce8b351dc1e7f191d8bd7d1 |
| SHA1 | 82cc374dad8cd2f5b0611ed5ac43542c1edeb344 |
| SHA256 | 8eefbee38b351d52fe693d97d7277031010841177a745de1a22483f1ed8c9219 |
| SHA512 | 0c7f67d13c2b8f35fb214911cc5d30fb718fe2ad0ed9f57bdfdb1131deb35e2cebcd2281d0d9c600490ee76e7499ab796eb19650f99b5f82ef27ef19a763d173 |
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\files_\system_info.txt
| MD5 | 4b7d772d1cdde65fbf11830e409fb72c |
| SHA1 | 535ca3064e0999f16621016f7f2a042744cd364e |
| SHA256 | d55003b150636d619475bac9b36b0cc8ba59e070c33a7da92b85de3a1d0b5d6e |
| SHA512 | a2a46089b0a9ac503d3ff23767bbc1914687f1f16a9a2b37018f5528f1aec00b764b9062d782f6e2561f2ff7e46daa10377096e7ff65678f914ac52687eb6aed |
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Screen_Desktop.jpeg
| MD5 | dc18103240b1b717f06561a73a045c5a |
| SHA1 | fd042ebc10990b4f295c8b3698865da754a33715 |
| SHA256 | 17e5d541470a16b79f6f9bd5f29be4398ecf0a411f790493a33caa6b3bd7b9a0 |
| SHA512 | 1bfc3dbb25e74df1fbd44e4a6a35f758b460b533ac75ce80bad06270437e756b6649a156d8c62cb9e4e4821af38a03725d73d9538189fff384a4baadb1180a69 |
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\files_\system_info.txt
| MD5 | 644a272ef789862fba9ccff0583d116d |
| SHA1 | d2963c2885b5456b6ea7759b9a4b43ebf3ba38e2 |
| SHA256 | dbbda6aa8efded6fdfbc18945ef16c1cf8988e7d30774820e3c465c9a9e48df3 |
| SHA512 | 70a012dc01fdd5c5a9f40b86b4eab676528698051af0b3dc7745db65defd99952a0bf9f8cab264569d88d9d5b532d7122d030b206d7e129ec5f2ffd8ebf333ec |
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\files_\system_info.txt
| MD5 | 45ca20927fe07c7b8c7095fd86379caa |
| SHA1 | 5b22ad4004e7d9f1b21a57f9871270133434019e |
| SHA256 | 445d833966f4510e9a8850f9d22042b07ceea417b387ad34ffcc69eb2440b865 |
| SHA512 | c4ca3ae17bd8993dbaf7dd2a6e604e611d1704e29e0f1df95ec3cc9ccadbd007d582133e552cf07a08854bfaddaa76eeeb2a83f0589d8a307d86239d5c39dba0 |
memory/2340-221-0x0000000000400000-0x00000000032A7000-memory.dmp
memory/2340-226-0x0000000000330000-0x00000000003D0000-memory.dmp
memory/2340-225-0x00000000033B0000-0x00000000034B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\YqqGsCnf0VCl.zip
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2340-228-0x00000000033A0000-0x00000000033A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-11 07:45
Reported
2024-01-11 07:48
Platform
win10v2004-20231215-en
Max time kernel
161s
Max time network
167s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe
"C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 204.79.197.200:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| N/A | 20.103.156.88:443 | tcp | |
| N/A | 20.103.156.88:443 | tcp | |
| N/A | 20.103.156.88:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | ewafal62.top | udp |
| US | 8.8.8.8:53 | moruat06.top | udp |
| US | 8.8.8.8:53 | moruat06.top | udp |
| US | 8.8.8.8:53 | moruat06.top | udp |
| US | 8.8.8.8:53 | moruat06.top | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | moruat06.top | udp |
| US | 8.8.8.8:53 | moruat06.top | udp |
| GB | 96.17.178.174:80 | tcp |
Files
memory/3824-1-0x0000000003620000-0x0000000003720000-memory.dmp
memory/3824-2-0x0000000003570000-0x0000000003610000-memory.dmp
memory/3824-3-0x0000000000400000-0x00000000032A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mnVCBVW\_Files\_Information.txt
| MD5 | 6f5066083684ae09ed8db02cf7303906 |
| SHA1 | d4853a082f239f6c2099ee4cba51666e5c74a898 |
| SHA256 | 1537d254f8064fe7051fcfcbe35e5a5bd0ba232e3c676086a00f05fe6e9b7790 |
| SHA512 | 7b58c9964271b5182cff4866b084fd56f769d11ed0e84f0bc80105ecfd289af0b768e640d5781dc7a897d4d0f0ce7acda646cde5dd36f0151eb74001fe6f126b |
C:\Users\Admin\AppData\Local\Temp\mnVCBVW\_Files\_Screen_Desktop.jpeg
| MD5 | eb923b820a5fcf021db1d857c8b96784 |
| SHA1 | a8704d76bd1aeb092577f47aa622e4bd288a3f2f |
| SHA256 | 1d8a27de2c8c5e34d6ae17212afd3da645cb438e36e683504beb8e78f054d6c3 |
| SHA512 | 96c696f8f5df62fabaf08229520926da2c44e79d6df6ea091ee4141518f4da92941e5c404680495ed4ddcac61f9bc5c0fc175f8a1162f57eef65b216edc87da5 |
C:\Users\Admin\AppData\Local\Temp\mnVCBVW\files_\system_info.txt
| MD5 | fd8ffb56387de25a1c2879a396bf62da |
| SHA1 | e4d3459f1a6bdd89b048bc2f3af7f1a519a63060 |
| SHA256 | 2aea2c3c71346860c2be8015e5027bc600ba0c470e1369a36a39652dc3c1d28e |
| SHA512 | c6d20421a1aca71ee4ee05af040974f2029b3d46627e05c268ceb3b56eaa627490b3c26e59024f04f118b97e7ea330e5495ee8064c1675d269ce766a39e1b746 |
C:\Users\Admin\AppData\Local\Temp\mnVCBVW\files_\system_info.txt
| MD5 | b202719503daf28ff99e70baafcfcee6 |
| SHA1 | f4b65807f7d4c00c560069319fd2ee5dd133ddf4 |
| SHA256 | 1bedb3673840d5316facfea17865f70bd08dc829db8451c82548a1d44dace2b3 |
| SHA512 | 6b2bc6ac861ca380de9195111b2a10f1d12b499b288a054428ba673d2e89ce1bb83a9180d42d253276dbab018e694dab8da1d0d28e7d95cb0135132354a0885c |
memory/3824-207-0x0000000000400000-0x00000000032A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mnVCBVW\yng6hIwnqYL.zip
| MD5 | 1463620ede77b2a36200f7ba280e1985 |
| SHA1 | e04a52b31c898e8ab24d0e4ecbd0a7d97d4e7795 |
| SHA256 | 1e2860333b9da744ce6fb869e8dcbaa43bd15b906c33ad4d95f0d314772df562 |
| SHA512 | 0ba2b2ec93edc12bbba7ab9a44f945ab9b9521b90c2b060960dcdd11e5bd4ed1d865e8b255863e7744d74cf2fb8cae88f782137fcdb10510c19ed62e9ae4a83c |
memory/3824-212-0x0000000003620000-0x0000000003720000-memory.dmp
memory/3824-213-0x0000000003570000-0x0000000003610000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mnVCBVW\j7MwrfAK.zip
| MD5 | 6505510f7de7419da1b7b4a6c344e043 |
| SHA1 | fdd32e8741c83d762d2326193baf0f7911871d60 |
| SHA256 | 5b4e73d71d71f75fc3f3bd788ce6a3bb32f7f84f815ba4801619886fb4912ee2 |
| SHA512 | adb9fcea979928b8c9be94bcea12a04290af4d09bc86a2729d997ad442a43d7a0edcc4830b21a404608a7c7c7066e0b7c9a4f0530f264806993185836c9bad98 |