Malware Analysis Report

2024-10-23 17:14

Sample ID 240115-kfxymsdeh8
Target 5c9bc69219f434c0d872aa764bd8e624
SHA256 3c3ec4c1e29ddd7df20882f14db717567717772eba3c25063564c7b8a665ac06
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c3ec4c1e29ddd7df20882f14db717567717772eba3c25063564c7b8a665ac06

Threat Level: Known bad

The file 5c9bc69219f434c0d872aa764bd8e624 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 08:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 08:33

Reported

2024-01-15 08:35

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe

"C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 morelm07.top udp
US 8.8.8.8:53 morelm07.top udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 morelm07.top udp
US 8.8.8.8:53 morelm07.top udp
US 8.8.8.8:53 morelm07.top udp

Files

memory/4880-1-0x0000000003090000-0x0000000003190000-memory.dmp

memory/4880-2-0x0000000002FA0000-0x0000000003040000-memory.dmp

memory/4880-3-0x0000000000400000-0x0000000002CCC000-memory.dmp

memory/4880-4-0x0000000000400000-0x0000000002CCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\_Files\_Information.txt

MD5 52447c9d6f7c3ca14c63872caa4ea31f
SHA1 150f529a0e8be8bf0f9377d9a2b8ecffb8107dcc
SHA256 a5e2f91acb497a2c6e1c16e17846da89d7b918586b1551bbad8e4d78e48aafc2
SHA512 afa6f5f358fff7135ce6da8c2e7257bc80f54bf05c17a1c07c04d861b6a55235a0c7b21ff9028b4591925da7d7dc10f01a7457b9a64713d7f483cff6aea0c8b4

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\_Files\_Information.txt

MD5 2d344e62ab82c12846743add10ce08e0
SHA1 d21e3aa8103421b5695881bb9e2f461625d8b5fe
SHA256 ddcfd0ba71adf3f916fb116c9323fcd56cdda4824c0776bab5e64f8e8c0eecac
SHA512 2675338fe2352da517c2fecc85dfbe71b8ca65fd8c6213f28c6eac73aa7f4a5578f68a5e0241159c2539ace4a6d8df3ce247ec570d5a0005e63574928fe6868d

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\_Files\_Information.txt

MD5 9f0ec6e3c35d075ded64e5dc0b3df328
SHA1 1e2326209828a8c73416358154b05e33b79f9b3d
SHA256 48d57fdd9708e81237b5fa7aeceff3f61e5cd862795b3926297f38524bf9e0ee
SHA512 33f110ff82c9c90bd4d0b55a401ff1d2e12032977d289bc234c5d0fa1e704c04e206916cbfe8bc7c4a49abd3558b9576b9237e46c1089213209a1a508986cd81

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\_Files\_Information.txt

MD5 254e83fcf2d900b919740fff243895f4
SHA1 cbc2920ec161984dc3fd1ff222d0d9b3845825e7
SHA256 e6279d8151afd696b9fc88050b43a29c961ac6703c16bc475be8958cd54461ed
SHA512 4d67d98035afebb0ddcc08b13ba14f5c5672d18dbe059153dd178cb07d2f4c79e65c05dd28d54fb542e5235f6085372a8670bf621bfa510f29bf3f45652f0b59

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\_Files\_Screen_Desktop.jpeg

MD5 eb2e85cee22138119cd02e1ef5077ae9
SHA1 f2adc5af53c1325a587c9928991d0f66bff4d8ba
SHA256 e886f61b966805c419a74955c830fe316b3268f4f4a6ff7fb9c0a2847cb7671e
SHA512 061f42a70d1be382401aa1f70474fb962c03152e641a2125f540014f76cfa076daa451251582d8a14cebe0206ac680cbfb6076ed276fdaa2f65d6e1bb672ed77

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\files_\system_info.txt

MD5 f9c9676c3a38fb817aa2f601db77f6aa
SHA1 3108431d5f0ed033f90ea2a7d769352627d0136a
SHA256 f69c4ad467ca26d40cc5ed480a1537496b62584d97b25826747afea98a6ca6ac
SHA512 471f941daf9f8bbf80a81f399ff243c033344a8655151bf4fa5942e4a2d53137ca4d69912dcfb5925877016faa873e0f53b3aba0b79c993bf021fb0ec1815113

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\files_\system_info.txt

MD5 762adc72515e9a89095f6ab4965a8942
SHA1 ae1250bc5de97122e170306d9f448e4ae16c99ef
SHA256 a538ff9c6602d8fc5bc0e10c3311bdc3795345483959bd631fc1d9b4b8cd8a38
SHA512 a7d31062752d92dfaf43f7c53f8caf640fa88f576ad665b51ee9d254fb3ce51bcb251468b4c5e827a6effa88a86284b339fda4f9f6f9075bb7e935e2fe383353

memory/4880-210-0x0000000000400000-0x0000000002CCC000-memory.dmp

memory/4880-212-0x0000000003090000-0x0000000003190000-memory.dmp

memory/4880-213-0x0000000002FA0000-0x0000000003040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\uoS1Mmkudt.zip

MD5 d2e3a9495d67951fabc5304337977440
SHA1 ab46a4b33505c30a5c2f9b7a098425ee7d5855f6
SHA256 ce1ea171db7ec0862855c7ff41dd7823e2cf619dc4fafc031021cc63dd887192
SHA512 d759b0579162277d9bb48613691c87672cabe8340c0a67e13dc177f0ff4dbd43382aa3f609239a3ce8299cc0d2175abd3bc3f2f21d91ca498537b860069cf85b

C:\Users\Admin\AppData\Local\Temp\ocOKK0N\fgefvbXXX.zip

MD5 9bbd26fcd00b053d822c23b036486eb9
SHA1 3692a9bbd310a82b4e051626c1d91c494b372748
SHA256 86e0e17d72212546b8d0b09dcbeb940fe67f68121452b0aed03c6c23d395177a
SHA512 81d39a07e7821f6575b572b03a3d3eb37f90c7e446a615100f1b2b0dbca1993e60adc32b4bed3e62718b422a83860479c5832633e0c51672ac7a38c710a693e7

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 08:33

Reported

2024-01-15 08:35

Platform

win7-20231215-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe

"C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 haibam72.top udp
US 8.8.8.8:53 morelm07.top udp

Files

memory/2104-1-0x0000000003130000-0x0000000003230000-memory.dmp

memory/2104-2-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/2104-3-0x0000000000400000-0x0000000002CCC000-memory.dmp

memory/2104-4-0x0000000002E70000-0x0000000002E71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Information.txt

MD5 84bb0a5f0c9cd45955d8f95fbf4e7e99
SHA1 e9a022f5dc2b88e6d7713e3a9a1641295b3f08d3
SHA256 2c7c5d2181f1ce1c99532011c642706d28c02255eeb5b6fb1d01bbc968b26c39
SHA512 4519dec3b9620a7a9e5782f70cea2fac256fb0016ab86e30dc19015b7250885429d1495307abf0e657d2cf8eabc402f263fb93bbbe1f2062a6b84151e9e7931b

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Information.txt

MD5 5401f72895a42a7ccda317ba0b0aaf79
SHA1 9c45b233173cd6702b1abf20c4ca506008acf451
SHA256 3f1d81236eb77459707e71aa82d256040a722936e416c103babe0fcb02746c04
SHA512 0d67eb8e73e334abac76004161f4dc2fe2f90d8b4a41ca40acd8c5e43808dece5cfc1485853df557effdcac305e7a09ea3e40e843077da554daa56b2e29b8831

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Information.txt

MD5 3ce2942f879b66cb8a4cb2473afc6763
SHA1 987370691a651865d9a705e13775d0d63cd38570
SHA256 17bdc3bf1b959f628cf5a44e2f824fd92c1bd8bab6c6cf460744e4fcb8c6b602
SHA512 7df630321d24c2aa0ba5f279755c1ce5b52e15d39904d6b938a0e37d5063ceff7b033951036d2aa35301b3d9428a35a086da25cebcefbb9b9b7f12eb6a7416f5

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Information.txt

MD5 ee6d411f20fa72c5d27edf5c33550d3f
SHA1 f96f2e692a94e97895a0f4d84de736e75f3403ef
SHA256 e1977c61bb5a5d1982803d6258fdb115e35c4ced5b15c91839e61e39eca6ec3e
SHA512 1e04de302ccb617ea5319ac637528cc78e899175aef7caf52bec86ca99d398d8436d0c2670da5457d839fde83aaa7b97f9ae99993ad4d7f3e1303e72a6d00555

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\files_\system_info.txt

MD5 29c9d2cc2de503ae43676c1a70080fef
SHA1 58303196ada85c32c2b95bb421d06876a45a5a7f
SHA256 c930058a391653560df41784c197b5a979ad40f4c37a827bd1171db73af32664
SHA512 62b1396c35d7671695de480a850b12846c8827fa052bc7c0a32032845c777a0068727fd29bd4364adb2e83627f124f0967ba69bbefa2b473d9bcc05672b7d981

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\files_\system_info.txt

MD5 231c7f2ac14f16102a1e9d23b14d3ef5
SHA1 89c357e4d53a3d3826b134091e2c79ad682e1306
SHA256 375ef6c2cb5b45a9a252951a3bea5fc2aa3685221b48bd17ef9d77020e242e49
SHA512 d7e9a51e876a845eee72623c629f2a118504657487b34e7eb40b89c63321fb866692afc1081830c7d974a2286a33b3e973941477a87d41e6d1e85f7cc48ac9cd

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\files_\system_info.txt

MD5 c990a69e8e467484db767394e61788a4
SHA1 1e35e2cbbd85a1f173506fe4b20fa9cd1e05cc77
SHA256 61389420ac93a8277cfc15867078c8d01b89386a82c4934b3f4dd8c65baa91e2
SHA512 7b6f80866785b68a62e052559bb6b3424331c1d2a479f46db1443643a864ed3f93e05bedb0b8c9a581f9cfbe019be03cea62f22bee57f0110060530a0a0413e4

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\files_\system_info.txt

MD5 341e7d5b30a94a72b24e4afa42039bb6
SHA1 bef814fd75c3d536867fb6182cce98400010934d
SHA256 9815fa88aa56382b016d13b94d02f533a443a90f488d610df29dc36bbff9e322
SHA512 6c540e149297042780240cfd24f34cd2ee9923a78ac5cf093a38ff3f27c8ca20cdc91c307432923fe2b67235bae67a744a5bbaca809bee200872464976438fb9

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Screen_Desktop.jpeg

MD5 099e0f0ce405f4323036dfd2afb76ac1
SHA1 fa64ee4bb5d231d064127f59d7946f9579a671d7
SHA256 2c74dabe81de7139815a7d78eec42384279631718feec4861ca786f869639896
SHA512 04cf76f95d7caba517da2d6f13ca9a18507b2f3903d36724897237ff8747688af5fa7dead7ddb3deb54f02d06de42aa46efe7c2ced6d9a340046116d93da56c9

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Files\UpdateCopy.txt

MD5 7c2b617e705f14ad444585696fe3fbab
SHA1 c5702b1e257585226b65095e1d352bade5629ef5
SHA256 c2523558b9fe8c09972788aafab015a5614f69a2a80710157b2e33c197669162
SHA512 67809dfc884484dc041d2383640ebc58a69cddc8eaecbfc528cf54edfa91c0211f893d5f800b213c289c61bfff26d1ae6d26bdc9ab821f0d7940e21d464edc50

memory/2104-226-0x0000000000400000-0x0000000002CCC000-memory.dmp

memory/2104-228-0x0000000003130000-0x0000000003230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\yFe43cQTLk1r.zip

MD5 2914580d240be6cc7774d023802b3a6c
SHA1 795f5b99e29464d7dc909d4b661bd06b3d5c1c5f
SHA256 5a5cb40f3f2a1172b485b12ad18ae92c75bd7c2f484ae564c7cbad0e589251e7
SHA512 2a7599bdd0215983fa97b6276ca1e35d08cabd8e5bae11152bba871b1d7ce4b7997f99590824e8309f6e7d19d95f4be14f24bd2f5650f0b8622d54d554f29f88

memory/2104-232-0x0000000002E70000-0x0000000002E71000-memory.dmp