Malware Analysis Report

2024-10-23 17:14

Sample ID 240111-jls17scga5
Target 52f166f6aeb75858dc1b2eddd57874f8
SHA256 0ff144c6195170469fe4c678d394adf47a4d7b7e0c5a00d7282d284fe973bcb6
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ff144c6195170469fe4c678d394adf47a4d7b7e0c5a00d7282d284fe973bcb6

Threat Level: Known bad

The file 52f166f6aeb75858dc1b2eddd57874f8 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-11 07:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-11 07:45

Reported

2024-01-11 07:48

Platform

win7-20231215-en

Max time kernel

157s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe

"C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ewafal62.top udp
US 8.8.8.8:53 moruat06.top udp

Files

memory/2340-1-0x00000000033B0000-0x00000000034B0000-memory.dmp

memory/2340-2-0x0000000000330000-0x00000000003D0000-memory.dmp

memory/2340-3-0x0000000000400000-0x00000000032A7000-memory.dmp

memory/2340-4-0x00000000033A0000-0x00000000033A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Information.txt

MD5 93c8801f441afe0adb6ebe4cd2443a72
SHA1 1f0041a2a0722b41a067e6310ad5948510d26aba
SHA256 4580d30deecbbdd340ce67d24ffe081eff82cafc3511c849e8b2e6f9930c8db5
SHA512 5cb498683993665be7ee9e16131f6b1efa2c529d0759f7be22069b1fddb5329e2c51ff03930582a1712a324aee07c6e8fc8ff83817173148d6396e3dcd6c78f2

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Information.txt

MD5 8bf63cc24300bfa9467e39f041b240ca
SHA1 10c13215f5d13bbf4899deab718a96f9f46c3ee6
SHA256 c6e6fbb40817550da70f5ab2cf480c772761c44460e5d5b4a2e2506a282eea91
SHA512 32762d1a3b6bcb4d8b6a876a8d6d90327720569b0fe2e794ca26be8471467b18ad4ee10b3fbb57e836310a65ab56d941c747df05e014c0d8df8a0b1986f69132

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Information.txt

MD5 4d146e2420cc6ba0976027b3d61fde5b
SHA1 6f47e64be2769f7d77371d2c1685a25869b490b7
SHA256 cac2b1a98a16307817c70ea82b88dbeb4e4aa3f2524d3f1bf8e1d69d722f7c83
SHA512 241bfb25ed5948a2322501666486ff85c97a1521cbfed1e1cb08456bcb32d52f7c89918583da0a4085e8a77c5a4b61db67dd107ec02d0f0d08dc6ca7e4f1ba9c

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Information.txt

MD5 02aba0908b47df6f0344dbf2a74b8f1e
SHA1 8592b2bf4ab916cc1cecf0a4b37f83184a8aaea9
SHA256 bfe7d0abe0a49929fe25a3b60c1b18857c53da6720803ffc5c5128a48f368c09
SHA512 4c4ff09099b4c0c933fdf0c687def18978db75653aca4ee39b75d23fa54a9e153243a8ff4b44aa98ba9abcc17c46103bd827952581097db544cc5215e87fd419

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\files_\system_info.txt

MD5 4d44becd4ce8b351dc1e7f191d8bd7d1
SHA1 82cc374dad8cd2f5b0611ed5ac43542c1edeb344
SHA256 8eefbee38b351d52fe693d97d7277031010841177a745de1a22483f1ed8c9219
SHA512 0c7f67d13c2b8f35fb214911cc5d30fb718fe2ad0ed9f57bdfdb1131deb35e2cebcd2281d0d9c600490ee76e7499ab796eb19650f99b5f82ef27ef19a763d173

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\files_\system_info.txt

MD5 4b7d772d1cdde65fbf11830e409fb72c
SHA1 535ca3064e0999f16621016f7f2a042744cd364e
SHA256 d55003b150636d619475bac9b36b0cc8ba59e070c33a7da92b85de3a1d0b5d6e
SHA512 a2a46089b0a9ac503d3ff23767bbc1914687f1f16a9a2b37018f5528f1aec00b764b9062d782f6e2561f2ff7e46daa10377096e7ff65678f914ac52687eb6aed

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\_Files\_Screen_Desktop.jpeg

MD5 dc18103240b1b717f06561a73a045c5a
SHA1 fd042ebc10990b4f295c8b3698865da754a33715
SHA256 17e5d541470a16b79f6f9bd5f29be4398ecf0a411f790493a33caa6b3bd7b9a0
SHA512 1bfc3dbb25e74df1fbd44e4a6a35f758b460b533ac75ce80bad06270437e756b6649a156d8c62cb9e4e4821af38a03725d73d9538189fff384a4baadb1180a69

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\files_\system_info.txt

MD5 644a272ef789862fba9ccff0583d116d
SHA1 d2963c2885b5456b6ea7759b9a4b43ebf3ba38e2
SHA256 dbbda6aa8efded6fdfbc18945ef16c1cf8988e7d30774820e3c465c9a9e48df3
SHA512 70a012dc01fdd5c5a9f40b86b4eab676528698051af0b3dc7745db65defd99952a0bf9f8cab264569d88d9d5b532d7122d030b206d7e129ec5f2ffd8ebf333ec

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\files_\system_info.txt

MD5 45ca20927fe07c7b8c7095fd86379caa
SHA1 5b22ad4004e7d9f1b21a57f9871270133434019e
SHA256 445d833966f4510e9a8850f9d22042b07ceea417b387ad34ffcc69eb2440b865
SHA512 c4ca3ae17bd8993dbaf7dd2a6e604e611d1704e29e0f1df95ec3cc9ccadbd007d582133e552cf07a08854bfaddaa76eeeb2a83f0589d8a307d86239d5c39dba0

memory/2340-221-0x0000000000400000-0x00000000032A7000-memory.dmp

memory/2340-226-0x0000000000330000-0x00000000003D0000-memory.dmp

memory/2340-225-0x00000000033B0000-0x00000000034B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z64DIeVDKY\YqqGsCnf0VCl.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2340-228-0x00000000033A0000-0x00000000033A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-11 07:45

Reported

2024-01-11 07:48

Platform

win10v2004-20231215-en

Max time kernel

161s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe

"C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 ewafal62.top udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 ewafal62.top udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewafal62.top udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewafal62.top udp
US 204.79.197.200:443 tcp
US 93.184.221.240:80 tcp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 ewafal62.top udp
US 8.8.8.8:53 ewafal62.top udp
US 8.8.8.8:53 ewafal62.top udp
US 8.8.8.8:53 ewafal62.top udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
N/A 20.103.156.88:443 tcp
N/A 20.103.156.88:443 tcp
N/A 20.103.156.88:443 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 192.229.221.95:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
GB 96.17.178.174:80 tcp
US 93.184.221.240:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 ewafal62.top udp
US 8.8.8.8:53 moruat06.top udp
US 8.8.8.8:53 moruat06.top udp
US 8.8.8.8:53 moruat06.top udp
US 8.8.8.8:53 moruat06.top udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 moruat06.top udp
US 8.8.8.8:53 moruat06.top udp
GB 96.17.178.174:80 tcp

Files

memory/3824-1-0x0000000003620000-0x0000000003720000-memory.dmp

memory/3824-2-0x0000000003570000-0x0000000003610000-memory.dmp

memory/3824-3-0x0000000000400000-0x00000000032A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mnVCBVW\_Files\_Information.txt

MD5 6f5066083684ae09ed8db02cf7303906
SHA1 d4853a082f239f6c2099ee4cba51666e5c74a898
SHA256 1537d254f8064fe7051fcfcbe35e5a5bd0ba232e3c676086a00f05fe6e9b7790
SHA512 7b58c9964271b5182cff4866b084fd56f769d11ed0e84f0bc80105ecfd289af0b768e640d5781dc7a897d4d0f0ce7acda646cde5dd36f0151eb74001fe6f126b

C:\Users\Admin\AppData\Local\Temp\mnVCBVW\_Files\_Screen_Desktop.jpeg

MD5 eb923b820a5fcf021db1d857c8b96784
SHA1 a8704d76bd1aeb092577f47aa622e4bd288a3f2f
SHA256 1d8a27de2c8c5e34d6ae17212afd3da645cb438e36e683504beb8e78f054d6c3
SHA512 96c696f8f5df62fabaf08229520926da2c44e79d6df6ea091ee4141518f4da92941e5c404680495ed4ddcac61f9bc5c0fc175f8a1162f57eef65b216edc87da5

C:\Users\Admin\AppData\Local\Temp\mnVCBVW\files_\system_info.txt

MD5 fd8ffb56387de25a1c2879a396bf62da
SHA1 e4d3459f1a6bdd89b048bc2f3af7f1a519a63060
SHA256 2aea2c3c71346860c2be8015e5027bc600ba0c470e1369a36a39652dc3c1d28e
SHA512 c6d20421a1aca71ee4ee05af040974f2029b3d46627e05c268ceb3b56eaa627490b3c26e59024f04f118b97e7ea330e5495ee8064c1675d269ce766a39e1b746

C:\Users\Admin\AppData\Local\Temp\mnVCBVW\files_\system_info.txt

MD5 b202719503daf28ff99e70baafcfcee6
SHA1 f4b65807f7d4c00c560069319fd2ee5dd133ddf4
SHA256 1bedb3673840d5316facfea17865f70bd08dc829db8451c82548a1d44dace2b3
SHA512 6b2bc6ac861ca380de9195111b2a10f1d12b499b288a054428ba673d2e89ce1bb83a9180d42d253276dbab018e694dab8da1d0d28e7d95cb0135132354a0885c

memory/3824-207-0x0000000000400000-0x00000000032A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mnVCBVW\yng6hIwnqYL.zip

MD5 1463620ede77b2a36200f7ba280e1985
SHA1 e04a52b31c898e8ab24d0e4ecbd0a7d97d4e7795
SHA256 1e2860333b9da744ce6fb869e8dcbaa43bd15b906c33ad4d95f0d314772df562
SHA512 0ba2b2ec93edc12bbba7ab9a44f945ab9b9521b90c2b060960dcdd11e5bd4ed1d865e8b255863e7744d74cf2fb8cae88f782137fcdb10510c19ed62e9ae4a83c

memory/3824-212-0x0000000003620000-0x0000000003720000-memory.dmp

memory/3824-213-0x0000000003570000-0x0000000003610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mnVCBVW\j7MwrfAK.zip

MD5 6505510f7de7419da1b7b4a6c344e043
SHA1 fdd32e8741c83d762d2326193baf0f7911871d60
SHA256 5b4e73d71d71f75fc3f3bd788ce6a3bb32f7f84f815ba4801619886fb4912ee2
SHA512 adb9fcea979928b8c9be94bcea12a04290af4d09bc86a2729d997ad442a43d7a0edcc4830b21a404608a7c7c7066e0b7c9a4f0530f264806993185836c9bad98