Malware Analysis Report

2024-10-19 02:36

Sample ID 240120-mdsx1sged8
Target 6a2c1831c6131eb0f59078d477f4247f
SHA256 c1d11f66c89d2b7a284d8b61092fab044066c5443250d90d2dd9f3221857900a
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1d11f66c89d2b7a284d8b61092fab044066c5443250d90d2dd9f3221857900a

Threat Level: Known bad

The file 6a2c1831c6131eb0f59078d477f4247f was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 10:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 10:21

Reported

2024-01-20 10:23

Platform

win7-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe

"C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 morjau04.top udp

Files

memory/1564-1-0x0000000000610000-0x0000000000710000-memory.dmp

memory/1564-3-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1564-2-0x0000000000320000-0x00000000003C0000-memory.dmp

memory/1564-4-0x00000000005F0000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SocQ0vQKV\_Files\_Information.txt

MD5 147cddf0aee7abda94e17a59f52b32c0
SHA1 54dd21d2b9c928b4ba7ec65626f5bc4a21ab2df2
SHA256 b19bbe1d1d465993ff8d3faed7b484273d7f157520260edf9f96c1333a797fcb
SHA512 eb410457490d598c6b3553813097ec5f7d9b55747b84263948110676fca8fc1d8a0ee5ea65d2de6da66694f01ec8dd7be104da68c4a8384a2c297867466bc4dd

C:\Users\Admin\AppData\Local\Temp\SocQ0vQKV\_Files\_Screen_Desktop.jpeg

MD5 dbb59211e04ddb6b104e2728c1765ec8
SHA1 a1a6ef75028076151d75a820779b43218645e552
SHA256 80531ae594940b2ae81305ea98793a646891595349006dc845e9e7947faf3c77
SHA512 b9097b3a8141f5bb8ff148033e9ea2b78531d030e3ae441454bef4e726354eb525174f2655b682b0b7fa612aa324b16c6384849ad8e5d379c718ccdace786bb6

C:\Users\Admin\AppData\Local\Temp\SocQ0vQKV\files_\system_info.txt

MD5 5321c8bdec2ec9e3baf7106b0672b947
SHA1 b29b5514a425fc9f671620d5c7308d6fbc29ed37
SHA256 22572c1b67fb89cb63e220aca536973b66e94444e4d7fa809713b90f0b42bcc8
SHA512 c2ef8d468a2b9a23a892b593967a9ef50c1160d46e2504d99ec85e74b75368a7b3a90f11c79ead7a04ee5f772dae5d83cbca107e8510cf00130dfdc94f5e636d

memory/1564-222-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1564-225-0x0000000000610000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SocQ0vQKV\TO4usagagNh5.zip

MD5 1fc6cb307b66969a1244b283e98b30f2
SHA1 307f1633607b28ef7157fde5ffe7a22d1316df62
SHA256 74ee1f1abdb51d06ba114b69994e4275856080bbf3f05d4b432ea00ea92f92ad
SHA512 2ef3af350c088133cd7d981faecd5d09c482076eb8c018f0597cb468f663c9e0f9567ccb7a2dbdfd5072d03a0449836aeb62b5496c53279681d32b7db9e30314

memory/1564-227-0x00000000005F0000-0x00000000005F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 10:21

Reported

2024-01-20 10:23

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe

"C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ewaqug42.top udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 morjau04.top udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp

Files

memory/4008-2-0x0000000002260000-0x0000000002300000-memory.dmp

memory/4008-1-0x0000000000620000-0x0000000000720000-memory.dmp

memory/4008-3-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Information.txt

MD5 6794f748f24c56146c5b6121afca3729
SHA1 5cb28a27c4466428b8244dff3395c208782b1988
SHA256 a2ce1bab81642f1064779bbd2deb91ed6b9dc3324e98c18e7f32c1375f214229
SHA512 3f056d278d6ef2e6fa5461062ea0fbfb44740af9c7689f5970d7ebb5e6ff413e163cc16fb1d45c19e72c9de0fc3fd9573b0719cfd9fde44e46c93b0bba9632a5

C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Screen_Desktop.jpeg

MD5 319dd9d403a1257cd941f68e4d9488b4
SHA1 155ec2457035abb9505ec6924b84c757e9fcc3ad
SHA256 b738887d185378270ece8f1ce18fd01c7f9283eb3b2b697f526dba862b6ba581
SHA512 18786ced575535b332491340616dba3ebd6665839843b15ee24d1d42b021ce92d2ab4d6826ac36b99028eea84c01eefb6b23e14253ecd84ac0eccd2b2962d4ae

C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Information.txt

MD5 bb922c8c422946d787552831a41a3cb2
SHA1 bf3df008cb4d8cca4418d812e9566e9560488f20
SHA256 eb676aa5d8f29611fa2d7c3518959b3a78b59332b143051c42154043fb4e443b
SHA512 bfec57996abfa37f02e8d8c6e7f25ac1bf242321d657bcde48d7d2f5be58bf2772c394abdbcf53897914726a06a12aa3c6c387fe28b54bf6bd3a2109f083a0d3

C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt

MD5 6db0063e17d10d709b613891f7ac21f3
SHA1 399adcf95f0758b0411fd3ba0770f999d01f3acb
SHA256 8853a90b71c67e4008be5a1c618d227f93cb61f643e667c46865105f31700bb3
SHA512 dabb18e7926086c3e006afe81f035b185be60ab9d18dc42c8edebc1ed4fd453a04a33b7518abf7a1e7bf48d1db450c2d5838e08c772146582c7dc7d68bb65c0c

C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt

MD5 5e8a27102fd6ecda086fcd491a2ab23d
SHA1 f597fa8b60da67fb0ebaa85c983fc47028a1953f
SHA256 508e474adbba2ee9b45d83382b5b5352673f4614b2daad516501c80b26080c9b
SHA512 81233f527dc0b532cdf1a5eedda70ae8c78e1a48dda8cc6d67327aa6e527ceee4cf4ce872d4d0957cffa1d77c7dc7566c0b33c96b4682d28809ede5c35bbf672

C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt

MD5 a45826fdc4d83fb9728260eb2b092521
SHA1 a49d1c5323f8994957779bdfa75fab9261f4a634
SHA256 a774d50b57662437f46d57ee727ee88ee423681dd34d28061591387517ef456b
SHA512 c6a7bbdd67f04a0da504d419fc3c5f136567a54781cce6c5efc5713a3e503f117e962136ae1012921c188e6a63275f81bee9dc8ce2317b51e3e0d1c1e5bd5b97

memory/4008-208-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\TCFZm1cEvwO8l5.zip

MD5 0e2a024081b63e43c2b9f2bc43ec70bd
SHA1 d09d0a31dc3c46679a9805160210149b5e9d5a15
SHA256 dde74d2efd366f518bf07eb22086c7b53822dfa8ffb4b6cc8a94ddd1dca7454f
SHA512 4aa97226277c53f6a3c22921cbd65fd7cb6b7e4e0a4111d985c30fa0be067b14707cf6202f8d328f05aa01b3573606cb840dddfaeb3def94f9beb5891f0af8c7

memory/4008-212-0x0000000000620000-0x0000000000720000-memory.dmp

memory/4008-213-0x0000000002260000-0x0000000002300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\WLNgGapBgIuO.zip

MD5 7a5fc1230afbd8397976d081e5ebaa86
SHA1 2195a202fed1396bd39e40625c33854e1bcfe11d
SHA256 e4fa828b0c7e76dc7034c616dd63f03618ae5fcf8d6bbe16468cc85f6ba7a87c
SHA512 a03a43ded6da9c47148ba3df1703f143386d3c6296ae397c4b994e7be0fb029a4724595eacfd41dfa2f231d1000e88e2349ad06edc52de30458f015bb9ae03f8