Malware Analysis Report

2024-10-19 02:36

Sample ID 240121-xwgykshbc4
Target CrybtBot Sealer Unpacked.bin.exe
SHA256 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f

Threat Level: Known bad

The file CrybtBot Sealer Unpacked.bin.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

Cryptbot family

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Deletes itself

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 19:12

Signatures

Cryptbot family

cryptbot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 19:12

Reported

2024-01-21 19:14

Platform

win7-20231129-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe

"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\vkbAPImWONw & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 19:12

Reported

2024-01-21 19:14

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe

"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 53.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp

Files

C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\_Files\_Screen_Desktop.jpeg

MD5 a7acd7169b8cbbde4bae2d1d0db4cf6e
SHA1 90e3788f56ba4102bdadf7dece62f97854b628e9
SHA256 1f914d989660a6806a5bab5a3aad57a6d3102ade90cc3ef2184b5d6c0bb6ea61
SHA512 5c89b6dfa89fd6f3cbf22916aaf34fe8f411712cc2a57c36a41c4e1645702139de1ab0fb6c54188584ff26c901eaab53581b4429c066ed3b92db537bd7ea96f9

C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\_Files\_Information.txt

MD5 eefdf324433be1f74afe5bc3f5afeb66
SHA1 ae8224de1c0acb0cd4b4d7fde551fc01b1fa3a05
SHA256 cc7bdaf52a725f4a0ad63eec9f929e1063953ec3ba8c35f34cb8785a996ae558
SHA512 1ca821ac80f2ec9e64251ca7e0bf47f4cefe2ef6d1540a4acdb7b4b60bccd42cbfdc87ced84ad6670c518b1c7d2afe8e896ec4e1b65fb5747b4572ebe569d29e

C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\_Files\_Information.txt

MD5 16fb6d77a84fe0f138b88c90bc63ef34
SHA1 d41283b1c2043507f04ed4e76e45aece964888e2
SHA256 de10753eb6742b01e0574a9923849715872e4a709a2a11db4e0b5eb9ae8eccf7
SHA512 7153ba53d5c865e384b8bfb1a7ea0c704c519e89e07b9eb36f5db22c1bcc28ad7c78e6e3820f3324f6e0acf47fcee2e2218ed53326fea7693baef114cee1b322

C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\_Files\_Information.txt

MD5 2742fed9d53c07a8a38fe7a263bc6619
SHA1 db578187fab788c1df0710e97846e636ebd3287a
SHA256 bdc5922aabc1fffd1c0a7e0fd7ed3995843539cd157eafc121e29d50ee366358
SHA512 8d173e84f2f5f0144789e80667c5bcd3ca354bd803de9a2536d1f7acc1655c75a19a2f5cd4ce74e84074efb91ee0821e63edc787857e48b15f3cd009ea7bb4a6

C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\fQHWEqvBULV.zip

MD5 bf71ccd395ecc672f9bdff362afbf2be
SHA1 89b62d61cac71629fd4befe04e0d3f867f7ea62b
SHA256 b6774edcdf827e58a58f2d89c3900df72be1867048d15bb23567742a8e0a11c3
SHA512 4fe5708bc7f1147be20819d2e1334e99c23e852a32a89202462d505704e72246550ca4542aa2c1fc195d16cf344ca71069baf66ab0b7705e86768c9a7941bddc