Analysis Overview
SHA256
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f
Threat Level: Known bad
The file CrybtBot Sealer Unpacked.bin was found to be: Known bad.
Malicious Activity Summary
Cryptbot family
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-21 19:12
Signatures
Cryptbot family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-21 19:12
Reported
2024-01-21 19:15
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
Files
C:\Users\Admin\AppData\Local\Temp\llPNUyKFyAH\_Files\_Screen_Desktop.jpeg
| MD5 | c8eea9f39e76f8cfa4f4f27f0370933f |
| SHA1 | 4b0f7d29a21a193a392151b7c465c99ccdcd3cb4 |
| SHA256 | 043d9ae28eb69940535a586562945dc076f6992dced7e40b0b4a4cae7b52896c |
| SHA512 | 9f47bd9c221e06d70bcdab5f1dbfd360aad4f97ab2b34a276c76beb6d1ecf68305ef4d1d3f1dfa73d8bd7768f3f1099753e597975aaf0588165124f4292e734e |
C:\Users\Admin\AppData\Local\Temp\llPNUyKFyAH\_Files\_Information.txt
| MD5 | ffbaf590b3a978db27b64063bd483a13 |
| SHA1 | 549d598bde842ffa8f01aab1a8b13dd06c80574e |
| SHA256 | 81355f8b39107c92b41564542c3c35b14080b763b6e68049ff7fd4f8c8d96245 |
| SHA512 | bfcb4146799e9102ccd9790852795b3c962dc8297a8721dc5dcda526c5ac715fb7fa7f48e7f78ea997d897fed4f892a3d0f55bf920572222cb3aa37a45af3d69 |
C:\Users\Admin\AppData\Local\Temp\llPNUyKFyAH\IrnfGxiETkGvTV.zip
| MD5 | 71e3e9a7dbe692599f42e69e2a339aa3 |
| SHA1 | 119db87bca26e92ec2998b71741bc03f9f9b3208 |
| SHA256 | 53bb3362c03d3f11833d39e87514e3042c47254a924b0a5026bb2ab593da460d |
| SHA512 | 51946eafd01dd9f7030e25a76ffe75d661e7fba4d0c13177de033e8e35b7b2437e2ed9b6d4c7d927c4a4b1c45f67330b5da442b44f8057bfe03d4981787c2b75 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-21 19:12
Reported
2024-01-21 19:15
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2328 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2328 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2328 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2328 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2276 wrote to memory of 2148 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 2276 wrote to memory of 2148 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 2276 wrote to memory of 2148 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 2276 wrote to memory of 2148 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\uQZCQAYfSxOHZ & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4