Malware Analysis Report

2024-10-23 17:14

Sample ID 240113-hz529aebal
Target 584d548c03e8861214a069d6da77fa95
SHA256 7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c

Threat Level: Known bad

The file 584d548c03e8861214a069d6da77fa95 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-13 07:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-13 07:11

Reported

2024-01-13 07:14

Platform

win7-20231215-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe

"C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 morbyn04.top udp

Files

memory/1748-1-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/1748-2-0x00000000002A0000-0x0000000000340000-memory.dmp

memory/1748-3-0x0000000000400000-0x000000000095E000-memory.dmp

memory/1748-4-0x0000000000B30000-0x0000000000B31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Information.txt

MD5 713ad559c19169d10c176595889536d0
SHA1 446c87a82dbbabc8b1394da25c50b2c5d0b9fbfd
SHA256 42a4879c7f2cdb3732b507abbe3eb5e65ee708949fe1a4aea2878c2a2352d862
SHA512 d3224924292105840cb9cee16f915dda8dd449f3fbb4639f41ba02110275a82194fd40b7b3a0736129f59fd3266a21fa77d81795a68cdd9b5455918c8f3cf463

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Information.txt

MD5 d4ba44cc5078f46a44bbd4f3d4f19f24
SHA1 a92666d333d27114b817aeb946455429600e2d0b
SHA256 dff3b2ccc43dcc5014b836e6a616a44f33505427559f19ee100c13cfc4a0c0e4
SHA512 cb345ff00b7e96948e44afb6522e52dbfe05daffc06b3f5ecac3149aa2365c63a985e61ae8e1f205bc2a36ff0d45749c4246b10753e3a7fedf51c3d978ff590c

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Information.txt

MD5 0289dae89f725d34104a40f7eed7fea2
SHA1 d0a995f64b1e57b9a1e4f43855d885a0bbde705d
SHA256 d8c66de4eec2faa6d9bd4ffb6ccea3d28c0e04861a1dbbe07ff3b33422618289
SHA512 56a1826e411d20ed319c29aba48d4c31073fca44ea6827922c34ae3efa527cbae716b495e69ecc722fc858d029fb6ebe45b40d81e4c8b0f75a46c09bffbc8378

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Information.txt

MD5 1303806217808a8404731ec64f65f4f1
SHA1 51eb690b35e70e9d2b8d66d2c128ab659ebf7074
SHA256 3e76fe2ee51deb59ae9c66bdf0ad06dfb9837994f4633173556f2430b18a618e
SHA512 1f38cc34128707a0ab7afcc4527a1107c26924eb1a201eccbc796f50dec70c8bdeba0e42bd7456a5735ea0b91a5d077155d9847fee46e85a40456968d2f3b0cd

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt

MD5 c54405ec2c14058166821f39013272fd
SHA1 17c6e1a48bbd4be8edd2fa4b7bca203949e31cbd
SHA256 6457af26f6b122d77c36d7c5e4ce997c8a657618fef4c672f7e90bb073b9a842
SHA512 131e9d6e8be7777247727aa779f8d6f5cdf5e13d9eb018fe961196458a8227daf44ddc468084a93b0d706106f5e862129f7f7743be5e6fe516acf23c457ece7f

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt

MD5 1fbc3db49727cfd267b2839f8da55d70
SHA1 5a3be04aee98df4a2cbd6a2425001a4b2d5f7ee7
SHA256 ae0b6d65854f850bc484d16ef503a3aff0d680131b139aa55f84fe5e9a922435
SHA512 7be09f298ec4e5c675ea6cc3ab82cbb6e2130b8a6298931c4d15cf17fb551ef106396c4a70242ae597385e75304a29fc04e8427532c799b3334df111a990ee44

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt

MD5 cc520ced9b8dce4843ef29c945c5f815
SHA1 e7c722ffa8b51df2ad552027f29e267a23c043dd
SHA256 bf9aa171631d6bdbbc9ff6380a2f7add63472a6293732d673b1cdcc8ba8025aa
SHA512 5db7d1d9bc230727d487606a3140d9e9b83ec194543e5949e90f0f355f3cebb20ee8bee1f3724ebfe62f37633c6dce4a2924eca6dc171b26cc583fa4e6872943

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Screen_Desktop.jpeg

MD5 dfb0a084c190d08d28eb84b5e458d855
SHA1 7809b4da9238e8ddf20ffa4286085a657eda0d7a
SHA256 7afad31a24d1fd0a90a27802dfa3c67028c4174a0045f01d9ac6d03cdddfc2fa
SHA512 3af0e4caeaa3a2c994496bb3f1a9aff6210dfe04cbfd6a10e69e1729b40627ef41e1af2439e40f046a6ca7a8b5268369339c58e555761e8d6f7580f9c5925abb

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt

MD5 9ab78f6a4c80b9573d9a87a633248d5e
SHA1 affc3511b9c2939b6b84bbf4e815594cb0a24993
SHA256 7bb4cd41dd4e22aaa0fbb0cebbb06ffc6de36381c4c6b50a9eef2e9e243f6ed2
SHA512 ca21ada4f93b81a9f7e7bb64aeb215070cbc7c7e729b21237cc09b8068e502b67683f7157b8a5033fd667b655421327bfe05978e6f689238f70e4bb1e1e71687

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt

MD5 46126c6504cfd2e40b1ab318d28b2a65
SHA1 4d906329e92396a098aa4110802628c7aa6fb26a
SHA256 e0ec90568eddb9b8a28ee668de9221dbe46b1bd803aed5505cfd1401bb521397
SHA512 2f515ba274db3d200f7e1816fbdeca33570a4985eb20d6429f4857d89bd0490df33768e101ec1096c4e578197c1edbb28881283090ab86a87dab78b9578994f4

memory/1748-222-0x0000000000400000-0x000000000095E000-memory.dmp

memory/1748-225-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/1748-226-0x00000000002A0000-0x0000000000340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QPTvY8R\WmjZIrHXpK4.zip

MD5 399b83e1b95f20700af58539bfa48cc2
SHA1 ab95366195d379b266e0db30c3c3b5e4070a240d
SHA256 7719b30d56b9e2543eaa0a302fceb3d8f31d019842782806fea12e5424514248
SHA512 9057c99692ad2b77cf9b2c3e5add322f90876b157743d7ab8361473c5658fcb009d2c0269471a4170991ebf438a07da74e1ff4be7c83f1aac7f6086e97b24b3d

memory/1748-228-0x0000000000B30000-0x0000000000B31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-13 07:11

Reported

2024-01-13 07:14

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe

"C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 lysayu42.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp
US 8.8.8.8:53 morbyn04.top udp

Files

memory/4980-1-0x0000000000B50000-0x0000000000C50000-memory.dmp

memory/4980-2-0x0000000000960000-0x0000000000A00000-memory.dmp

memory/4980-3-0x0000000000400000-0x000000000095E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PJClorZ\_Files\_Information.txt

MD5 fccb2da2942af98943588b2354d3f4ac
SHA1 a7160c183018a067dd6f022bf788a39dc7700628
SHA256 238656aba67dd73a43542098596858ace5a0c67ecbb73964bec30c199e41a5db
SHA512 c10cb1c46d267f6f2b6b639ea9f9ff355f28e9bf91af4a5c5d5c5bcef091359e437e1a9498ddf70c2435dc6c07cf036bedc6973bbb8ffef6b81f43dd4b53bce4

C:\Users\Admin\AppData\Local\Temp\PJClorZ\_Files\_Information.txt

MD5 60c40f0799c2a13875b34faa647f5915
SHA1 ecee815f93d14e05fc9e6002e48f0a17feab3784
SHA256 e1f39d0f6f696ffb06da2247d5619a184ecb744f9aa522c784a806a5fb9510b5
SHA512 fe9f4a5174c137405b79f8a06818f2f908b50ce2023b1cf4476009a13f8ada6b5e74c6c7bec48f8581e397cfa471669dd5aedab23a80ebe1f2bac1f40aaeab2f

C:\Users\Admin\AppData\Local\Temp\PJClorZ\_Files\_Screen_Desktop.jpeg

MD5 dbd285ec248241111875d3768d454de2
SHA1 244fcf5b71c037310346c340b36d1dcf402d5f4e
SHA256 e9e551e481c09df928379003aced0705cceed978ea34cc37c36612fbb9f1df88
SHA512 1c9a7ebb21b8359a7635d560bbda5bbbbadbe3cfd194e5a93760e3b83a0f81740f43b1f42e90e5436dc687fa7d12e7c9718a9f953a37559e96c9c74c98ba0297

C:\Users\Admin\AppData\Local\Temp\PJClorZ\files_\system_info.txt

MD5 e0e6b46040cec0b43dfa21baf8953d3e
SHA1 6ab7d260355b7863f781bcaddbbeb43fb4be9a24
SHA256 6a3eb64877d4306502b73ecd019f6ddd1ad4f20ef28e523de05bbdd5b3b4bb62
SHA512 0861891fd607f12bb97985447912cf1b051373796edbba8ee492cddc41a16cc73111836a4087bdf3a3c2d11cab246aa6a5cf20943d91f90e1160c54aa3de99c4

C:\Users\Admin\AppData\Local\Temp\PJClorZ\files_\system_info.txt

MD5 5e634961645265f13e669f40c04e26a1
SHA1 0d65ec0024dff4f2ddfb892c1eff982c55896159
SHA256 7db38bfe90e59e8aa64b4ecd69c2bb9b4a79fe6145a4fa529565a4ea19a036bc
SHA512 880f57aed927c7603ed48820fda1007f97628463ab0ad6c0bb199fe5f3d6448aeedd1b848d80debf3da4879e3c94884e162f094f0b7879cc4b05206aceb0bb2f

C:\Users\Admin\AppData\Local\Temp\PJClorZ\files_\system_info.txt

MD5 78c5b74438971a02ee412a41b7724e73
SHA1 50bbf91b45a7de299659c0d82854c9df1a63e2ac
SHA256 cae3b351e295bfe61bcb19f5080d11cee7183d6c82de70244e19bf4d499234ff
SHA512 097ccc2d6045488ef15eee432a2df0b7fa2a23a8a7900a39dd621e839bf3224f8558eb3c919aa3dde0037f5f65edd394c5025c0c281d558a1cff2dfbefba9451

memory/4980-208-0x0000000000400000-0x000000000095E000-memory.dmp

memory/4980-210-0x0000000000B50000-0x0000000000C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PJClorZ\tLJh8iCK4xPbO1.zip

MD5 c1e29d6f44d1d95bb79f4e34d4e1d99e
SHA1 598fc106f77667950f7332d4c8adf4e2be59d985
SHA256 82f556f059af5605be764ae5a49e892c18adf8f2ca152fb70da8f35beebde1f2
SHA512 b6bce1b689bd2512a7da63dbc0de4234bb4fb5b6a9004fbf59ac69c6fee10df884f9d708a423b1bc9260561f78f8aab622c7d02b4e3159ccab14e23a02cfb691

memory/4980-213-0x0000000000960000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PJClorZ\c4z6XIlm.zip

MD5 384c7220d43f049280f4756b58b49a9e
SHA1 a06413fcaa1cd14ef12eac24bb725b1bbbef1856
SHA256 f5a4885066411f3a5c20f62e149d728ed655dec8b58f856de950dd41616ae6da
SHA512 f65f8f6271ae54e5a363150bdfca677b0d599bc658df54f2aa90cbbee26cc2c36d2163e507735c15456299021762bc2d9e9e87d99b664f46d572e3eebafe6d6e