Malware Analysis Report

2024-10-19 02:36

Sample ID 240120-br74bahahp
Target 6920aa5adac327d0b77bcbcf2c105098
SHA256 b937f9098ea56ff4120f21634aaf765cd11f62950cbcf1f4727cc673785a9560
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b937f9098ea56ff4120f21634aaf765cd11f62950cbcf1f4727cc673785a9560

Threat Level: Known bad

The file 6920aa5adac327d0b77bcbcf2c105098 was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 01:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 01:23

Reported

2024-01-20 01:26

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe"

Signatures

CryptBot

spyware stealer cryptbot

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe

"C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe"

Network

N/A

Files

memory/1252-0-0x0000000002BC0000-0x0000000002C44000-memory.dmp

memory/1252-2-0x0000000004540000-0x000000000462B000-memory.dmp

memory/1252-1-0x0000000002BC0000-0x0000000002C44000-memory.dmp

memory/1252-3-0x0000000000400000-0x0000000002BBA000-memory.dmp

memory/1252-6-0x0000000000400000-0x0000000002BBA000-memory.dmp

memory/1252-7-0x0000000004540000-0x000000000462B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 01:23

Reported

2024-01-20 01:26

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe"

Signatures

CryptBot

spyware stealer cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe

"C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp
US 8.8.8.8:53 fokuti41.top udp

Files

memory/2376-1-0x0000000004840000-0x00000000048D2000-memory.dmp

memory/2376-2-0x00000000048E0000-0x00000000049CB000-memory.dmp

memory/2376-3-0x0000000000400000-0x0000000002BBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\_Files\_Information.txt

MD5 947505e9747ec4eabef836abcc91b2ad
SHA1 19b1f54c6eb03765167bfc62df9a600c1917b737
SHA256 3ff9d8a0105613e3603fc108ac0477e5ff98d7804d0a6427ba5656dad5a558da
SHA512 09b4ea6d97dc66ca000428eae65ac27d5e578bea1123f3096547ceb0b5526d4e72498b4278913fd3638539c5ec11faa23c85cccc8a4be8cf9189d8658b60b575

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\_Files\_Information.txt

MD5 041772a5665a6876e2be990aa8227a27
SHA1 7a2b564866678c6add46b7e1a94e3c0499659caa
SHA256 7e9af1c72d3f42a207c35bb98e05d689116b8bd1cf0510c7ddd77a19ba70ce5b
SHA512 2c6125679735a14be912ce056887a58af086d17ab6befee82f2b64f105a46ce0f39ad59a3799747a5a35bfc21e066615488aa81b6fc0e69bfc95dec6685da1e0

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\_Files\_Information.txt

MD5 e225d30bf20d0f79f0a34447168455af
SHA1 d93bf0bb31b4b156706850fd7a14c0032f1771d6
SHA256 72c3f6860fdf60df3ee1c7ee37e44e5b3d586553992483d1b7d0f95d84b85162
SHA512 0858d8fb3c982df72a20565ccc33df4e291d9bd435ea013c2abd5391d08992cce4433daeb4d52b8b2d4206b17b4312456c552ee14b7c4a962a04067339aaadb2

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\_Files\_Screen_Desktop.jpeg

MD5 de5b85b11b03e97ee91f21128a03e795
SHA1 4762cee80d9f7fab2d84f2614581fe5a347f5cb2
SHA256 25ea8c3709fcfcbfebc573bc1536e7abb7226a1f382455e93fcd5e655a5af287
SHA512 9f2e08ba7a372af623d97a9de9947c676fd6132c132efcdbee7073069ddf32ad75597e1205e8d675867e3f68f9aa6d0c09ff349ae42a81b1a7a2d94010ae2083

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\files_\system_info.txt

MD5 dda65fdd08cc7179a5d99a2714300581
SHA1 f880560a51b59c7f1f1e0dd04b4aad17a54d6ca7
SHA256 51d86c00e9a4f16e2b0c49e9bcbfd1b149337052dc47ddbc2e66ed418d21076b
SHA512 1d1f2c7eff60412e6c313996cce8ff1856d97c992db05fea27c52ac2c23b3f5ab3fe1f156e097ff3927c4871f5d87d7e34ad65b855b5d127ae170ab97572e169

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\files_\system_info.txt

MD5 cb8ede430b3e9f6441de48e9362248b9
SHA1 47f7bc4655d0b69c211cdeaf792b6fc2868e55ad
SHA256 368c7aa2a0df76de37005cb66d22411c4cfde6947fc0b83b5045c1bb36731a1a
SHA512 c64f3833ff3fe280eb94d2918591fa9add94ab2836b05879469d132518d46b8743d2c6ace5bd800ceef923eb27957d3c13f78d4396f0501fc6e7374a1923294b

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\files_\system_info.txt

MD5 cb2ec89d1ad166671d5c904d8f76ab34
SHA1 a658c13d453ff92e4927b2f53d6a5a828df4a378
SHA256 bcfd9a8383caeeaa43158146d9b2ad9a83798844e25f9ba25cea7496bb163899
SHA512 049e5326a9e7d2cf9be378ced4813c1c590414a9211586275ac18ced33669b0c050c2578b3a611a767b02b28d1fe8a78cf110c273f8f1e18bcd6a54c164836dd

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\files_\system_info.txt

MD5 8a39e4fad89f5b2d2fb4ad699fff2302
SHA1 05f215572f1ddcd65f655ab76f92d1ed3d0b406d
SHA256 70075bf23375961dd2ac501e2aab2a4b88457d666e1c74ca09661efdcdc156ca
SHA512 94f1443425223ec83561c38ef3966cb71d470b3f0a6bf5f327b88aa03846cc0fb3ad56e1fab4776044cc564171272ae6c610f66f4838ae960dfce7706549da87

memory/2376-205-0x0000000000400000-0x0000000002BBA000-memory.dmp

memory/2376-210-0x0000000000400000-0x0000000002BBA000-memory.dmp

memory/2376-213-0x0000000004840000-0x00000000048D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\SLfJRKXSKGeA.zip

MD5 013ceea176da651e55d1075865117677
SHA1 914a1d6f8b44e0a855097a38e2953eb6325d7b21
SHA256 b223e2d9cc8e0b7a4ddb1424fcb3a0d554f5d8734b37fe120937c72fb8471d0f
SHA512 0784e9e2a29c03b47da5b1fc57015ebf780eb7b2d8772642a9947577c5376a8a4bb76f6192248fae0355eaebefeaaf425a366515cb7217d89c4373cecc10fe6b

memory/2376-215-0x00000000048E0000-0x00000000049CB000-memory.dmp