Malware Analysis Report

2024-10-19 02:36

Sample ID 240121-cdx7macdhm
Target 6c0f27024f875a94386862cfb5f0d2c8
SHA256 f2dae5d58761bc67d2fac18381a2ee7e61d5eea79c32c718a7b97ec183a2489a
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2dae5d58761bc67d2fac18381a2ee7e61d5eea79c32c718a7b97ec183a2489a

Threat Level: Known bad

The file 6c0f27024f875a94386862cfb5f0d2c8 was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot payload

CryptBot

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 01:58

Reported

2024-01-21 02:00

Platform

win7-20231215-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe

"C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe"

Network

N/A

Files

memory/1988-1-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1988-2-0x0000000004A20000-0x0000000004B01000-memory.dmp

memory/1988-3-0x0000000000400000-0x00000000032BB000-memory.dmp

memory/1988-6-0x0000000000400000-0x00000000032BB000-memory.dmp

memory/1988-7-0x0000000004A20000-0x0000000004B01000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 01:58

Reported

2024-01-21 02:00

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe

"C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2160 -ip 2160

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1308

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ewaosm65.top udp
US 8.8.8.8:53 moruat06.top udp
US 8.8.8.8:53 winazr08.top udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/2160-1-0x0000000003580000-0x0000000003680000-memory.dmp

memory/2160-2-0x0000000005020000-0x0000000005101000-memory.dmp

memory/2160-3-0x0000000000400000-0x00000000032BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\_Files\_Information.txt

MD5 275e1cd686eca41cc2555e23c9bcc5d3
SHA1 51f5123394dd39c2d84781a24067f87ba766ba13
SHA256 141333ca32bc50c5f871ee9d34c76161be9f35cbb3642f2752ea75f22538e91b
SHA512 433824abab9f898477b28a51c6509a5f6d6aaa005e680eb8f08634732e5035ab88098534f924579a69f4d8d00d07099050b8cd935bdefcd5f6a050717d4b13e4

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\_Files\_Information.txt

MD5 49cb7ca6411cc6d8aed9597f13720fcc
SHA1 7ad448d5d80da29a96bc259e2cf59d8dbe95fddc
SHA256 0ec0a24f7e41ef0d28f0d918ee2acd7ce7b7dcde77f89c4b93478d73559f8d0a
SHA512 dac85dd0a3216be027fdb90f5495038470d9ced5201880f5f794e7fa2e2d65adb405afd35e4e880805dd8991aa8b1d24534dc36e15612c8414750fc813be6080

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\files_\system_info.txt

MD5 01cd50508f63d2c65b61a047270ecb08
SHA1 43699badfcce8a5b5b36ecff3077bd341ad297f2
SHA256 f086edb06fd3583c25a9f49056c672837261112fa366d364a1504478f8e2ac09
SHA512 c1c8a662cf1156deb89fc3851b4b254ceac55476abf6afec0efc19c0d3f83ec73b2284dd4018fb493bdbab4823960afe9b4b9df9adca106291d9cef639dbfdc3

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\files_\system_info.txt

MD5 4f919450645e854c8783e0adda9f92c9
SHA1 aca9d337cb0d3065d525343d9564f354bf3bf0a8
SHA256 2c2a44a3c79b8e49f79565d15d3b85c2f841c5e4b4fb647249e1e604f974ef17
SHA512 b25dfe656161fac4fdeec79ae016a7dd25a63ef6fd5b8fc6d2082da2f36d6d49f11df9a0f530481cb218c78ff5c1ec319ae5be05b3bb7511afb44ec056d2d9ce

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\_Files\_Screen_Desktop.jpeg

MD5 67225e72cdd67b115c292d28ae4de38b
SHA1 e0e65cfc7b5a25d77fdab3d4004972850b76a25d
SHA256 57360b37423133d44e27ac175716d11494cf89aff3c0723318f8e75363be7f11
SHA512 51ad1c56f71caf932d5bf678a8aa83a8afe2bed1dd699f510282e5ebf7a6c58518450bd092adb03eb4489a3e61026c5fc5843eb100f80bb441bdcad327ef701b

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\_Files\_Files\ConfirmWait.txt

MD5 6b4364950e66f6bc2e3c0e626344420b
SHA1 367460cda5692d82802999b0ee358d401acff294
SHA256 2a94b8c796d9dc175199377b3d5e4053820c56e1d02ced3c72b9f16728d8f778
SHA512 6a386f4131124d06c40f370b5cb8b401c04542062f3f90f9830d0dd05a114e8f0493fe95d1b57ad503357dc2d9b770f9eb3687693d0a3d4cb9170a27c1971e7a

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\_Files\_INFOR~1.TXT

MD5 76aeb41e2dd1bc01f2b5710ae780f372
SHA1 434e1f6a666cf5c2353569cc7fd74ad38bfe9c9d
SHA256 119ae36f18f3c18ad69c28ce4837eceb255ef83cf53d9c4df0b27033832235e7
SHA512 74cabc8e3055b72458488fea54c3962b4a689d7e29ede1a3ac9960851d9dadb0343b35592642ce52baf89186521f44e1c6db1715b54658b5619ae1d7106efb4e

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\_Files\_Files\CONFIR~1.TXT

MD5 dae15c9102d56c76a5e594f48d73354d
SHA1 75645c198825e0345b161b3bb48743928f083a92
SHA256 b8a6377c6c151a474e14669a0f178c0690f8ca6aa5460d65440014083f5f5b4c
SHA512 b66b8c0dbb1edabe42d3b32643038a02fa9227f3675a079c89b05dc033bcc882d916f662532a351676a163aa3a6f0ec5d7f01390dbdcfb8af3f85d33294dadaa

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\OLOLPJ~1.ZIP

MD5 22385b170fac0a8121f2e75608cce056
SHA1 5040b812270250469ce48cdbfa115a78b4b68c42
SHA256 56ee88480492f06149f94c774dfe0664bbc1dedd22fc0e1017e51fd280081b0a
SHA512 428227703241dd9a41f0d9ea8e6775aef2df4dc994799c0701ee2cb894ea5551c1847c7d9c61ed1a11b76a4e5f74fc0d19ee37cc713546b452f366687cd0fc60

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\HKMTMO~1.ZIP

MD5 c8966061e2be4b7ad0b946dcf7e3671f
SHA1 883936c77ec37a6d4c9458b69a98d6e15c06531b
SHA256 a68b4918a5f1f1b9e147bb6d519bbec42c98172599d5ba5eb6e14b3eeb27a6d6
SHA512 71066af5fa8d35ee8d0076c090569c8c8b62e8b8ff89424ca2443c3d2b4ce35b5037bbb471eb6fa4c772c5afc7c9736cad6ca94258046a9565b94e25bac540f3

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\files_\SYSTEM~1.TXT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc\files_\files\CONFIR~1.TXT

MD5 477be82ce3550ed325609b046543dbfb
SHA1 db3b6ae0cf4ea8d07fdfcab0c96d9f931dcd86fd
SHA256 13f75dadffd4c9b4396d0b32a2f0aa03bef11a459e98657c72223ffc5dc45f8d
SHA512 d13545fe8eeb1816f84ce488787e0636a23ae990ed91db38400c3d825b189ada0f04356d69636b290d2e2a1beb0ea2759bb509710cf73c300a92e7302987b6a9

memory/2160-228-0x0000000000400000-0x00000000032BB000-memory.dmp

memory/2160-229-0x0000000005020000-0x0000000005101000-memory.dmp