Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2024 20:51

General

  • Target

    6393577eccbb54f677ff7dd65c984807.exe

  • Size

    3.0MB

  • MD5

    6393577eccbb54f677ff7dd65c984807

  • SHA1

    5020ec827081c486c32af374473d96ce5f4f30de

  • SHA256

    fb7f48daa45730568caa82cfa74c3c3a16130d2428ccef71eb266daa4146efde

  • SHA512

    81e6e3b90072454e6497e1622b6d43371ca3c43cb5a073364b9f9db1c85866b1b9614f56c0b5c970b456cba7ffd0a7e8ce490649ec189c52d234b5e7e68a6d28

  • SSDEEP

    49152:hU6pv81VrL49dOdL4hE+oQ2OkCe2OtIcm+H2w6JFqtEI8X3nUywRve:C6pJ9dO6hhofOkCCycm+WRJFnlNI

Malware Config

Extracted

Family

cryptbot

C2

fokfgl36.top

mortbo03.top

Attributes
  • payload_url

    http://nybaer04.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe
    "C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:5028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Information.txt

    Filesize

    1KB

    MD5

    9e822e58a87cc95596d8d0e3fc04662c

    SHA1

    f5040ac163e1c03dc2d67e3921a2a28e27fedfe7

    SHA256

    753248ab1507fa63e69d4391e227f870f2e2f311c1fc0fb2baddd7216cefcf41

    SHA512

    4b9dcbfc93401126dff26aab28e89fcda4e0c3ab35d1aa1843a9146ef823f5a3752ef1dddf1c91e205f401ecebd535670e48b8849617e8e065629ffac522d0ba

  • C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Information.txt

    Filesize

    4KB

    MD5

    96ffbfaa37c5b07727b82b4d56ec51c2

    SHA1

    f38d3efe58bfa231117f96b662a2678a9c0dd7cb

    SHA256

    d0bafdec6260e5a340c92582679548e3037134dec8b892febe320278c18f460e

    SHA512

    a7c23e8b369bd5f96f4d13235ff38b9364220575c02d63e2b45a088aa1fac87ca35dfc1db45eb37d5a3394dfd30dfc7dab3f2a42647f58f407827888716e9706

  • C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Screen_Desktop.jpeg

    Filesize

    51KB

    MD5

    c3fec46d69dc2680f687f4fc5c85fe3b

    SHA1

    fe703003991b3bfe38a659c16b8b6ae38f7523f4

    SHA256

    086426fc37bb68b0bd39e25390005b74f63f75aaeb585c59dd925cf71c37fa96

    SHA512

    dce417b59ea47252a706657257e7bb9dbba55df3af1d98c92aade35fbe76c04055d36db97a24e6f9be1832739daa87623fb5fbbfb84974f84c5b30f5f27cb452

  • C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\files_\system_info.txt

    Filesize

    1KB

    MD5

    c80b34b7ed70aa50d575aa08b72dae89

    SHA1

    65ac42b532a98652dc29ba876d64edafde5e9fd2

    SHA256

    58964d53a58dd513ae30f5e0fb5d1f0557176ac7c245c46dcafbbb0ed2cc2e11

    SHA512

    a6800418c83442df4435d27e5c7f004c904df39f061f130bb517a2229dce695207ba0b3566541e749b1e4e6aaa777bef1fb8246adf7323166d515b8d834d5496

  • C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\files_\system_info.txt

    Filesize

    4KB

    MD5

    fa7022c7b7de97783dd6f8fd53c7765f

    SHA1

    0a7d12e638076141b1459148a6ab2a27b5079a28

    SHA256

    3fca66c54d53a357757cc3d252e9767e3259670a8678701bf3bdaf86145c9004

    SHA512

    c72ae59bf28bea9249d1b6d71490fc420942ca94c0c63e7384332e8a0d57709dcce13c2d0db3f9a15a1d55bc05d77ef4ab8dcfbbf9fd6062a4b1a0772cef4444

  • C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\gieLUSbFIld.zip

    Filesize

    45KB

    MD5

    295adc1381c9f0f393604d5133917369

    SHA1

    18e20289c5cdf9c836dde90344c743f0e19ddf25

    SHA256

    1187c53a11377607b06c7111587909fdd8866f98a93c4718c7ff2379f7dbff19

    SHA512

    83405fca8a223b4e6cc977be09aa8db99ee439e910e198acd1c087d0cfae4cc6af2b170584565e3948751c1e2327d4db0e0900764587138d0665f00488ebd756

  • memory/5028-4-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-7-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-8-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-9-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-6-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-5-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-0-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-3-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-2-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-215-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-1-0x0000000077734000-0x0000000077736000-memory.dmp

    Filesize

    8KB

  • memory/5028-225-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB

  • memory/5028-228-0x0000000000330000-0x0000000000AB7000-memory.dmp

    Filesize

    7.5MB