Malware Analysis Report

2024-10-23 17:14

Sample ID 240112-hme1ascaf7
Target 55c61c75644d75f6db561a8fb294876b
SHA256 0274cb61fea6621c4d2d7eced3bfc1fbf14d890024cc19a9e1c694693547a06b
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0274cb61fea6621c4d2d7eced3bfc1fbf14d890024cc19a9e1c694693547a06b

Threat Level: Known bad

The file 55c61c75644d75f6db561a8fb294876b was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-12 06:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-12 06:50

Reported

2024-01-12 07:18

Platform

win7-20231129-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe

"C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 moraiw07.top udp

Files

memory/2172-1-0x0000000001610000-0x0000000001710000-memory.dmp

memory/2172-2-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/2172-3-0x0000000000400000-0x000000000146F000-memory.dmp

memory/2172-4-0x0000000002E40000-0x0000000002E41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\_Files\_Information.txt

MD5 8009fb1c12d7be5101187a026c123c80
SHA1 484452d70b1ac092b13f5fc56cec6168b76a898a
SHA256 c8709e0a7a8fbfbcf952db73ab3260244719c699261bbc0f8d865e11f384ebd6
SHA512 f5a8e8375333e2d3412a0023f8019a87bc598a3ba8a181dfae65fc74efd8d3a4e7dbaaa876accf25cb535837ac59974df460eacccf01bdd396f7a70b8556e4c8

C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\files_\system_info.txt

MD5 4fb6d0b9edb3ed6274c1eafeb8cbadba
SHA1 0ccc5cf628b2b07fa0b50ee7aab539316514fda0
SHA256 4729417be94eb783f952a9fa37394ccfdd14dc88dacbfb0127984dbd902015be
SHA512 a0cc3ab0e4779a000e7a0747c2f745aae744cfcd50b35d914955ca8849b54181a512375e7fba5f49269c3fc39433265d5671d6f13a79315c898a57ca76e46bdf

C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\_Files\_Screen_Desktop.jpeg

MD5 2ab6551c2924f90d251fd0976d959dd2
SHA1 ddfdb2402da8f4b41da3b5c38dc0d0680bda1b17
SHA256 f652109d32ba927c78832c594943fd997b7111538c3ec8ad29da0ef115e8c164
SHA512 a16052d199bc4e10dabdd0915da47ebcf2fbf014112cad40870382afe8e2195ea29010369e5b6986ea5d3150f15556d65bb7dd669960f381a21a75c8cec16c4c

C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\_Files\_Files\StepApprove.txt

MD5 c7c7d627bda13c1cd83f876442900fb8
SHA1 a0e7b8e5e6d0f6b9ef28fbae93179838e809a533
SHA256 c70489337264a2710d895e1b563a79af711c9d5ce09e55451c2bc39b4dfb2662
SHA512 66013861b7ef28468225bc6da4c9ce4e044b53a6534d015431bcd195b491b9894e44cf4e44eed8cc57d8be07d145a8fc065d0f8c3270f9cf0e80a7bd8d8fd876

C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\files_\system_info.txt

MD5 f264453f660908e809bc38be7eec1796
SHA1 46c6e3b2fc6bc48da5421ecba4aa048575d975f3
SHA256 7da216e6c0dc70db01e11f2191e57a5dc97848d5c593b1e88a28616f067f55b0
SHA512 ab8e512bf518b7cda530ffa880b4bd3064078a6d31a21bd1c82024f12a56e4151bf3da7fb8254b877745f8b44c9213cb5a9edd66375746eef9fe07afb5a9a0c5

C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\files_\system_info.txt

MD5 8b1dab7720f9c58cbfa9a690846fa9f0
SHA1 e70f71bb0d0c1cbb29a1b2eee25c586501fc7e6f
SHA256 1c312cfb347613f28020378db906d388d74778ede9410e73d46db9f2ce386de7
SHA512 4b35d3dfd1a1b2a38363b6ebfa2c6b03586246183da5b727d4299f7078ea4931320de09556ade442b0a4ee78656e737cafb1bc9e3d583fb3c70364834471adba

C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\files_\system_info.txt

MD5 e026ae81076f3cab22ec10f53346918a
SHA1 e89106a1913121b6b70d3f2fdc84688be525fcb7
SHA256 049c3fe73e47a9810a7f766efd092315692204cae20856a2fa7c9875033692e5
SHA512 bf440b4ef61931c1fe6eea2de611854bee8cb942244c261225444070b9d5188caf19e2257e66887d444964b14116043fab14d3e83ed9d64933db0b6b491af4c7

memory/2172-226-0x0000000000400000-0x000000000146F000-memory.dmp

memory/2172-231-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/2172-230-0x0000000001610000-0x0000000001710000-memory.dmp

memory/2172-233-0x0000000002E40000-0x0000000002E41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-12 06:50

Reported

2024-01-12 07:18

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe

"C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 ewakyc72.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 moraiw07.top udp
US 8.8.8.8:53 moraiw07.top udp
US 8.8.8.8:53 moraiw07.top udp
US 8.8.8.8:53 moraiw07.top udp
US 8.8.8.8:53 moraiw07.top udp
US 8.8.8.8:53 moraiw07.top udp

Files

memory/5244-1-0x0000000001720000-0x0000000001820000-memory.dmp

memory/5244-2-0x00000000030C0000-0x0000000003160000-memory.dmp

memory/5244-3-0x0000000000400000-0x000000000146F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D6HRyBl8DF\_Files\_Information.txt

MD5 a2be10154dcf92db4079f587c11e80f3
SHA1 6070a416ef2cea38091295785768a601276a3f14
SHA256 2a961c8a45d1bd56f72bab911be779e3f8c588f3617fa09aa4cfdbb320308f5d
SHA512 e45fa94a1ae6d96783476d5039991fe6fcf27dc0d54f31a193138e4ead18ed7f05e80d04145b74af12a1b493b13dfdee1e24b0ad76bd2a478377e7745a6723a3

C:\Users\Admin\AppData\Local\Temp\2D6HRyBl8DF\_Files\_Screen_Desktop.jpeg

MD5 3da2cab0b1a53f5e4f97f2257099ce0a
SHA1 13cd76483114278f485d13c1779cba3d0384f32d
SHA256 44195e231484cc1817a2b0149b456ab545a5e0857ab25875f6a6548ba716ed73
SHA512 b1809b02e795b2ad405f823d55a7c33c667ca3f93ca68fb3d66c35582a93fe292de71ae087b9b30459b13c6d57206f5a7a349540599c81f99acfc04ec11def92

C:\Users\Admin\AppData\Local\Temp\2D6HRyBl8DF\_Files\_Information.txt

MD5 44b405e9869b1bbd1c2fff2fe1114b44
SHA1 491742bf86dbaaed33602c8bd85f8f188ed1f64f
SHA256 0e1ee4a28dffcaa702f25b1cf930b9e36950c049c5c9cb4702e3a7b9df67862f
SHA512 dcbdf4dc91853f35f863bb0509dbf55436fb0bf6ca201bd414240dad27c5618cb108133950e05d5e4b6bbde01e272f2c4c8ae4b17f4be84db004465cc3a45d9f

C:\Users\Admin\AppData\Local\Temp\2D6HRyBl8DF\_Files\_Information.txt

MD5 a928207881edcd97458002955a02d4a6
SHA1 765960f800f6e6185d8c1265c15417383251a39f
SHA256 57a42a995368f612624be34e3c3e04ece4e74e36dac78d12901595b94b7c5964
SHA512 5c9ef31435f665af428a9d594f11efe2376598facace7abe396b0ac848daa981d05103f0ceb3bbee169e2bcce23683fd563547b90f3e439168f9eb21d29c6f5c

C:\Users\Admin\AppData\Local\Temp\2D6HRyBl8DF\files_\system_info.txt

MD5 37e678e468b4f848038edee62f6fa748
SHA1 b7e6c5682a668bfe2d9aa8e681106bdda2773f98
SHA256 e321853e76089fc0ad98064a8ae07493ea63bd9bce5c17900c40e2905df9cbc9
SHA512 b62eebc73e475f360d4a2ee6f181f8b8a907906662951daca3d6e51e72f753c47c5089461cf46614b305c5e957b4888abf22458ecdec597cd1635c9a252cc413

memory/5244-208-0x0000000000400000-0x000000000146F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D6HRyBl8DF\p8gZc5wBqRx.zip

MD5 06d7f84546f61dce449c7fd4731f7628
SHA1 7baf85cabb65f87382eadaad8e132f04f18cdd78
SHA256 57feae3a92867f1c9ecca0c8a4501cbfb15681ef047014832e9b5af371ef5167
SHA512 387ca55aecab9d0ae78c8cbbd46b68e093950aefdeacef8ccd1c78432a9428ad534e4debb783fe0702e963da6503979a91b709c38318259b2f624d24d486bf96

memory/5244-212-0x0000000001720000-0x0000000001820000-memory.dmp

memory/5244-213-0x00000000030C0000-0x0000000003160000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D6HRyBl8DF\yJaOx2dFR.zip

MD5 0f171ea374275f8a8a6498dae5776801
SHA1 7d5dbdf777fbf40af9250e4e0aac6bed3acd2649
SHA256 0292ae149090ebcb43f05d1e7ff2cd8d7426f12cf385435adb3b5f26e67020d4
SHA512 21b8ed712542db14a51827d1d3d54410e4852f8657edda250dbcb8204d6b704af50bc72833ca6048f88d01e2af6be1fe8f3e42f087c0e534919ec34e04294995