Analysis Overview
SHA256
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f
Threat Level: Known bad
The file CrybtBot Sealer Unpacked.bin.exe was found to be: Known bad.
Malicious Activity Summary
Cryptbot family
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Deletes itself
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-21 19:12
Signatures
Cryptbot family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-21 19:12
Reported
2024-01-21 19:14
Platform
win7-20231129-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1764 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1764 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1764 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1764 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2892 wrote to memory of 2348 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 2892 wrote to memory of 2348 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 2892 wrote to memory of 2348 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 2892 wrote to memory of 2348 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe
"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\vkbAPImWONw & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-21 19:12
Reported
2024-01-21 19:14
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe
"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.bin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 53.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 74.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
Files
C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\_Files\_Screen_Desktop.jpeg
| MD5 | a7acd7169b8cbbde4bae2d1d0db4cf6e |
| SHA1 | 90e3788f56ba4102bdadf7dece62f97854b628e9 |
| SHA256 | 1f914d989660a6806a5bab5a3aad57a6d3102ade90cc3ef2184b5d6c0bb6ea61 |
| SHA512 | 5c89b6dfa89fd6f3cbf22916aaf34fe8f411712cc2a57c36a41c4e1645702139de1ab0fb6c54188584ff26c901eaab53581b4429c066ed3b92db537bd7ea96f9 |
C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\_Files\_Information.txt
| MD5 | eefdf324433be1f74afe5bc3f5afeb66 |
| SHA1 | ae8224de1c0acb0cd4b4d7fde551fc01b1fa3a05 |
| SHA256 | cc7bdaf52a725f4a0ad63eec9f929e1063953ec3ba8c35f34cb8785a996ae558 |
| SHA512 | 1ca821ac80f2ec9e64251ca7e0bf47f4cefe2ef6d1540a4acdb7b4b60bccd42cbfdc87ced84ad6670c518b1c7d2afe8e896ec4e1b65fb5747b4572ebe569d29e |
C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\_Files\_Information.txt
| MD5 | 16fb6d77a84fe0f138b88c90bc63ef34 |
| SHA1 | d41283b1c2043507f04ed4e76e45aece964888e2 |
| SHA256 | de10753eb6742b01e0574a9923849715872e4a709a2a11db4e0b5eb9ae8eccf7 |
| SHA512 | 7153ba53d5c865e384b8bfb1a7ea0c704c519e89e07b9eb36f5db22c1bcc28ad7c78e6e3820f3324f6e0acf47fcee2e2218ed53326fea7693baef114cee1b322 |
C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\_Files\_Information.txt
| MD5 | 2742fed9d53c07a8a38fe7a263bc6619 |
| SHA1 | db578187fab788c1df0710e97846e636ebd3287a |
| SHA256 | bdc5922aabc1fffd1c0a7e0fd7ed3995843539cd157eafc121e29d50ee366358 |
| SHA512 | 8d173e84f2f5f0144789e80667c5bcd3ca354bd803de9a2536d1f7acc1655c75a19a2f5cd4ce74e84074efb91ee0821e63edc787857e48b15f3cd009ea7bb4a6 |
C:\Users\Admin\AppData\Local\Temp\NvaNCqgFga\fQHWEqvBULV.zip
| MD5 | bf71ccd395ecc672f9bdff362afbf2be |
| SHA1 | 89b62d61cac71629fd4befe04e0d3f867f7ea62b |
| SHA256 | b6774edcdf827e58a58f2d89c3900df72be1867048d15bb23567742a8e0a11c3 |
| SHA512 | 4fe5708bc7f1147be20819d2e1334e99c23e852a32a89202462d505704e72246550ca4542aa2c1fc195d16cf344ca71069baf66ab0b7705e86768c9a7941bddc |