Malware Analysis Report

2024-10-23 17:14

Sample ID 240117-zncp1afab8
Target 6393577eccbb54f677ff7dd65c984807
SHA256 fb7f48daa45730568caa82cfa74c3c3a16130d2428ccef71eb266daa4146efde
Tags
themida cryptbot evasion spyware stealer trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb7f48daa45730568caa82cfa74c3c3a16130d2428ccef71eb266daa4146efde

Threat Level: Known bad

The file 6393577eccbb54f677ff7dd65c984807 was found to be: Known bad.

Malicious Activity Summary

themida cryptbot evasion spyware stealer trojan discovery

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Checks whether UAC is enabled

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-17 20:51

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-17 20:51

Reported

2024-01-17 20:54

Platform

win7-20231129-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe

"C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"

Network

N/A

Files

memory/2220-0-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-1-0x0000000077080000-0x0000000077082000-memory.dmp

memory/2220-2-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-3-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-4-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-5-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-6-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-8-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-9-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-7-0x0000000000F30000-0x00000000016B7000-memory.dmp

memory/2220-12-0x0000000000F30000-0x00000000016B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-17 20:51

Reported

2024-01-17 20:54

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe

"C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 fokfgl36.top udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 fokfgl36.top udp

Files

memory/5028-0-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-1-0x0000000077734000-0x0000000077736000-memory.dmp

memory/5028-2-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-3-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-4-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-5-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-6-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-7-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-8-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-9-0x0000000000330000-0x0000000000AB7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Information.txt

MD5 96ffbfaa37c5b07727b82b4d56ec51c2
SHA1 f38d3efe58bfa231117f96b662a2678a9c0dd7cb
SHA256 d0bafdec6260e5a340c92582679548e3037134dec8b892febe320278c18f460e
SHA512 a7c23e8b369bd5f96f4d13235ff38b9364220575c02d63e2b45a088aa1fac87ca35dfc1db45eb37d5a3394dfd30dfc7dab3f2a42647f58f407827888716e9706

C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\files_\system_info.txt

MD5 c80b34b7ed70aa50d575aa08b72dae89
SHA1 65ac42b532a98652dc29ba876d64edafde5e9fd2
SHA256 58964d53a58dd513ae30f5e0fb5d1f0557176ac7c245c46dcafbbb0ed2cc2e11
SHA512 a6800418c83442df4435d27e5c7f004c904df39f061f130bb517a2229dce695207ba0b3566541e749b1e4e6aaa777bef1fb8246adf7323166d515b8d834d5496

C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\files_\system_info.txt

MD5 fa7022c7b7de97783dd6f8fd53c7765f
SHA1 0a7d12e638076141b1459148a6ab2a27b5079a28
SHA256 3fca66c54d53a357757cc3d252e9767e3259670a8678701bf3bdaf86145c9004
SHA512 c72ae59bf28bea9249d1b6d71490fc420942ca94c0c63e7384332e8a0d57709dcce13c2d0db3f9a15a1d55bc05d77ef4ab8dcfbbf9fd6062a4b1a0772cef4444

C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Screen_Desktop.jpeg

MD5 c3fec46d69dc2680f687f4fc5c85fe3b
SHA1 fe703003991b3bfe38a659c16b8b6ae38f7523f4
SHA256 086426fc37bb68b0bd39e25390005b74f63f75aaeb585c59dd925cf71c37fa96
SHA512 dce417b59ea47252a706657257e7bb9dbba55df3af1d98c92aade35fbe76c04055d36db97a24e6f9be1832739daa87623fb5fbbfb84974f84c5b30f5f27cb452

C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Information.txt

MD5 9e822e58a87cc95596d8d0e3fc04662c
SHA1 f5040ac163e1c03dc2d67e3921a2a28e27fedfe7
SHA256 753248ab1507fa63e69d4391e227f870f2e2f311c1fc0fb2baddd7216cefcf41
SHA512 4b9dcbfc93401126dff26aab28e89fcda4e0c3ab35d1aa1843a9146ef823f5a3752ef1dddf1c91e205f401ecebd535670e48b8849617e8e065629ffac522d0ba

memory/5028-215-0x0000000000330000-0x0000000000AB7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\gieLUSbFIld.zip

MD5 295adc1381c9f0f393604d5133917369
SHA1 18e20289c5cdf9c836dde90344c743f0e19ddf25
SHA256 1187c53a11377607b06c7111587909fdd8866f98a93c4718c7ff2379f7dbff19
SHA512 83405fca8a223b4e6cc977be09aa8db99ee439e910e198acd1c087d0cfae4cc6af2b170584565e3948751c1e2327d4db0e0900764587138d0665f00488ebd756

memory/5028-225-0x0000000000330000-0x0000000000AB7000-memory.dmp

memory/5028-228-0x0000000000330000-0x0000000000AB7000-memory.dmp