Malware Analysis Report

2024-10-23 17:14

Sample ID 240116-fzaj8sega9
Target 5f0f316459cf8e92f8705124acdbe3e4
SHA256 b118e2deb33dc46a4ae01ba586feafcae96251267ab36dee8aa7f282b7263d13
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b118e2deb33dc46a4ae01ba586feafcae96251267ab36dee8aa7f282b7263d13

Threat Level: Known bad

The file 5f0f316459cf8e92f8705124acdbe3e4 was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot

CryptBot payload

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-16 05:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-16 05:18

Reported

2024-01-16 05:20

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe

"C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"

Network

N/A

Files

memory/2224-1-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2224-2-0x0000000001C10000-0x0000000001CF1000-memory.dmp

memory/2224-3-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2224-6-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2224-7-0x0000000001C10000-0x0000000001CF1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-16 05:18

Reported

2024-01-16 05:20

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe

"C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5068 -ip 5068

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1692

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 ewapyc22.top udp
US 8.8.8.8:53 morzup02.top udp
US 8.8.8.8:53 winqoz02.top udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/5068-1-0x0000000000790000-0x0000000000890000-memory.dmp

memory/5068-2-0x0000000002330000-0x0000000002411000-memory.dmp

memory/5068-3-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\_Files\_Information.txt

MD5 09394f9d432614df15b58ce4ba7eec28
SHA1 e90576538716df6012a39daf39b28268a7920ad7
SHA256 cfd9949b1e1319fd82ad88460db04a8bc62225f09c3b5f6275b9ed59febed7ca
SHA512 555316e5180be9ba7dfdf02d61b123669e23c3cfc10d27959d14f2e7584ce58ca1a843e3622d689161a403fe47bfb10661363f0351a17f2d8226af1f3ceb14f6

C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\_Files\_Information.txt

MD5 22ff6f120ddbc44c8e486c3366951643
SHA1 e8d738addf97eeb043af559a0a03bffd5492b06c
SHA256 4842ed08873ea7f42a725da7653a24d928e2c9da174b3f4b3d761d8f9a41df88
SHA512 7a7a38e2638e7abd9ca586cb896675ffb56edfa32abc00316d52c83e2d18f47e2b55599fcfe184dfa4d169a8d53154c1c894b676d2deb1e4617b7d625a99d1a0

C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\_Files\_Screen_Desktop.jpeg

MD5 a7e6988fc8f6d175f898fd3b45acdbf2
SHA1 d71cef1c0831f4ca42fb414a9916ee19817ee574
SHA256 96d7b5843d5f6d4dd6b2215d57671591c11460861c63e9a5cd1c14a18c98a2df
SHA512 887f74d99ba28d27e89faabafea51ebc28d1396d597db090e5ad153de8d1c8c797c26ff558fe877e61c77b2c8906cdf0a1748387fd56c04ebc22b2cea6806e5b

C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\files_\system_info.txt

MD5 5398901716c40b1f27d231d8bb0b9f44
SHA1 6305231e449e86b5df711d06c92ed780fabdf7e6
SHA256 0fb1474726777f3b5daa411e714675d3271fa71cb72397eeee1ff1b8722831b7
SHA512 f1161804deb18cfc2a0daa9211f7ceaf7022cdcb374831a00734379ae1ced5e9078430f5a6ea16c6ff179b3d1836fcb3ca2c4803aa051ab628491edce3e038ac

C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\files_\system_info.txt

MD5 6da8891b329eb32d678252a3bf64b769
SHA1 e665554e163e392c63ed43bd07f45ceb311baa89
SHA256 193806a9f2be6a7799807a4bb809fa90fc302c5d5e4f7e6dda8ab84dd856afa7
SHA512 aa50775d7c643d0cbe79be141cb32135cf504306ea2639c02a13489160be87c7aaed68aad4265ebe8c21baeebc37c40b4323a26aa0a0963f99f3dfd75122e3f3

memory/5068-213-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\ONYZDR~1.ZIP

MD5 44b29d82f82d206b92a69cb82a6ecc82
SHA1 b622313d8e10cdf13f245f21ffaa577a93da96d1
SHA256 b69794bba950de4eedc85b787a926f35b8e4ad6df8243770338fbde842354719
SHA512 5427b50d296792da742fb780071e40b153f4137b15c4ca91625b29496d54d4553108d0536f0c64abd2499a9b1b9840f83841bedfa32198fb31e63e23abf75a72

C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\UAOAUF~1.ZIP

MD5 eb204acc7fbf2ec31c263aa4d6acd2ef
SHA1 ce52d8dafc36eb917658fffbeb459d6861710c09
SHA256 9cd9acde6e06d4154cc00b8c7bf7267e017076cd80999a26ba43a5c8de310beb
SHA512 0d5313a703c92927d58e0c1bf6633ed5c096d308e4f827e98586453f8f00b5d6c5f07415814b50fdb481a49883e6bcf53bef81a2f9e72a7211aa65586ed31a08

C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\_Files\_INFOR~1.TXT

MD5 c6fa787d86601841dfa1012a1ec7c718
SHA1 70414a3111600331561e2fc303e9d936d1dd3af9
SHA256 3ad13b8a5941836424b743301f3e0cf8816afc4c3ed00f8b7966662bef13994a
SHA512 f76965205d602a155db9fbb79b7359979fdf8877a9dae5b37bac88c5ab61841620cdab5ddc2ec2e40d531ce8b78ff30eb3312182dddf3749f84fa2f36e248b41

memory/5068-221-0x0000000002330000-0x0000000002411000-memory.dmp