Malware Analysis Report

2024-10-19 02:36

Sample ID 240121-xmfzxsgchj
Target 6dc81b421428a561e64da3e3d54e3994
SHA256 05da0612d29c4c2d08bd90ca30551c109bd6501aae8fe06807f0864e26848637
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05da0612d29c4c2d08bd90ca30551c109bd6501aae8fe06807f0864e26848637

Threat Level: Known bad

The file 6dc81b421428a561e64da3e3d54e3994 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 18:58

Reported

2024-01-21 19:00

Platform

win7-20231215-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe

"C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 morecj05.top udp

Files

memory/2900-1-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/2900-2-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/2900-3-0x0000000000400000-0x0000000002CC1000-memory.dmp

memory/2900-4-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\naraihIm0V\_Files\_Information.txt

MD5 2c2823577fc219b818f37d357c810d58
SHA1 c6dbe7f00765f3e15f117aeb037bdfa414005ca7
SHA256 b7f2528ee8ca2dc4fb6181372d0d9b7cefd19ca652d304d69114838d2a9df11b
SHA512 aaae930a4ff51b3e444a43c4681a3ba3dc28f3eb46aef13a072ced3b02e9481a05ee5cec462c4d5fcaa3cc9356327bed8f6b257e5560a8cc6e2e9ce2182f5358

C:\Users\Admin\AppData\Local\Temp\naraihIm0V\_Files\_Screen_Desktop.jpeg

MD5 a6e538bab21bc7f2b2bb09993467c0c9
SHA1 1b20938914be8193f28472d6e2717d05995f6312
SHA256 8687636ac1aceac64f17998e693135161cd5486b533ec1b3d4567a35dd4ef662
SHA512 bfded190b308ec4dab9442031556fe8fd293291836fd9f6a6a57238e3fead0a1ff23ca67bf6f137cf48baed0d9210beaa3f5d6aead91d9e2c70528b8823b32cb

C:\Users\Admin\AppData\Local\Temp\naraihIm0V\files_\system_info.txt

MD5 70b95c65d9691b69f3a809eb7ffeacef
SHA1 423a4ba66929edca5e41d0ee5de2f723b24accff
SHA256 e4db95b4058bbea132d42666c98ddbfaa09e27ac65fb1b8496f0e5e3473f5b89
SHA512 ca87ba34b8d0e219c883dec445a84ab952bd499f2cc06608bcb27bf35231e262581455b80cdfbefc6a22ef7057ea533c0a975698348e49ef712f3270ef5abd6b

memory/2900-221-0x0000000000400000-0x0000000002CC1000-memory.dmp

memory/2900-223-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/2900-226-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/2900-227-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\naraihIm0V\jNMgG6Wbek.zip

MD5 310a40867f9b3b67046a23c1cbc4b2f7
SHA1 5e661bd860f88cbe37b9fdbb1bff95081aca9b92
SHA256 5b7981b9eee65da8fdb5f281faf7cb4e6902842f7c2ad5accee1d6eef995711b
SHA512 892353ddf32519a4da0b35c040373cb1d6c959b80d0baa1e8bd97b9638058d626e64ce85f11fb4bfb6033def7476dfb4a73c6349f67991511d4e69512bfabedc

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 18:58

Reported

2024-01-21 19:00

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe

"C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 848

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.113.50.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 lysano52.top udp
US 8.8.8.8:53 morecj05.top udp
US 8.8.8.8:53 morecj05.top udp
US 8.8.8.8:53 morecj05.top udp
US 8.8.8.8:53 morecj05.top udp
US 8.8.8.8:53 morecj05.top udp
US 8.8.8.8:53 morecj05.top udp
US 8.8.8.8:53 morecj05.top udp

Files

memory/2816-1-0x0000000002F90000-0x0000000003090000-memory.dmp

memory/2816-2-0x0000000004A30000-0x0000000004AD0000-memory.dmp

memory/2816-3-0x0000000000400000-0x0000000002CC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\_Files\_Information.txt

MD5 556ee95ed74ee26186bc4129dca44ffe
SHA1 4ed2ff9e66a3034a5523b075dba4b8f599d9b2bf
SHA256 37ed3ceb2bfa99ed51513ed7a740850ea9862bf41bea07c54dc31bbc0a32de1b
SHA512 70a8123ffd04b84cd2ffb3623fc07c3b8f9c1cf9062c10b297eab9552c9c6bdf3e3f531c1a118469e87ff8e97b95bb23296d212831853ac43085ed2e5f809930

C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\_Files\_Information.txt

MD5 fa6746b9a8cce76ede5e30696c4a3f02
SHA1 998d5c841bf112e9f1cf44d472a94b5522aa5183
SHA256 79c8b2c8a6684cfec6b381886fbced89f66e8aedf20375a60254bdb9d07829df
SHA512 8afc88adb2aa56e0fa8ba874545c5bba919533dd92a74e67ad759a0f05dd490e6ba172c7d678a3fbdd846b9b40bf8f111f9144f5009172a6ddeb870348033093

C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\_Files\_Information.txt

MD5 07c9668aefdee73703d14d9ccb32e7b3
SHA1 399b54ae8c56c15167cc8b27d39ef899ce20137d
SHA256 812b1d5feb830b547673b5ed55208768028555439b1f6bd3f4da07c2b0d8486d
SHA512 d641fd9df67eb34644ec3a167a91988ed34db0ebb4584aa7f3575eee9a5dd96382a028a06a0606d82dac2a5ad57914906699f141070e5ce2a16172481b480ea5

C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\_Files\_Screen_Desktop.jpeg

MD5 d36c2d46e692b9d2ac7d166a4b8463a1
SHA1 cde298f2900a15e18422831f21fb6ee4eb1d330a
SHA256 34401d99974a776adf6d3935c3e3a77e21c1765e6e9356f6cdb02ff5219701d2
SHA512 366901cb2f25806b1faa278bef904e9940586ded5e4846b12866009a446a6b854984fa22aa9d25c9454caa85b9440ea06b7b08ee98c2bb64840c55de83f605b2

C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\files_\system_info.txt

MD5 2ae185af5eddfa4de3d0544562362bf2
SHA1 38216e85cf1b6327b726a2ee1d937cc941f28638
SHA256 32d07a67fabc7fb5acd071afa1b889bf9a8e3901ec70c8ecde5ae72ff762e3ae
SHA512 9af005039c4be5dd7cafa03c2b0ccd51e1ad76da2c3479c21cb579c2d97480e6de34638728cf23c1b74ac522faf566eee1483eef079d49c2ae5b2353a40f0571

memory/2816-207-0x0000000000400000-0x0000000002CC1000-memory.dmp

memory/2816-209-0x0000000002F90000-0x0000000003090000-memory.dmp

memory/2816-212-0x0000000004A30000-0x0000000004AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\CTZ3wqfHEb.zip

MD5 b2c7826f4cdaa667b450688f559bfced
SHA1 3eaa7ce61b859217a524e7050d784891740d0984
SHA256 74c9195262578a3ebd97fe70f687671703161da45ee059430b2d940b01f67efb
SHA512 75de0f2a129f7b7d745fcb709cb005f735b0e5d9ebb9735d4dbac5558f3ab6f67b6f3e66b40caec9502511f7f40af40085814879b4294101b15816c2ee342e6f

C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\Vl3v7okdrr.zip

MD5 92b1dbb17a65323768f9f80988f197bf
SHA1 69a2a983bc91cb49a6f0723d793dbb426e1d7982
SHA256 5c003ce5869ad507c6c4425b3f70e6374dfd9d2a9eae96517c2c057fe0f9d285
SHA512 405c52a723dbaf7a180320b2afb656d13979a203458daf2787b377114eb89f899ff6676692887de81510065bdf7931e6581850b67c3f43a66537a00e525310de