Malware Analysis Report

2024-10-19 02:36

Sample ID 240121-xwrg1sgedq
Target CrybtBot Sealer Unpacked.bin
SHA256 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f
Tags
discovery spyware stealer cryptbot
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f

Threat Level: Known bad

The file CrybtBot Sealer Unpacked.bin was found to be: Known bad.

Malicious Activity Summary

discovery spyware stealer cryptbot

Cryptbot family

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 19:12

Signatures

Cryptbot family

cryptbot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 19:12

Reported

2024-01-21 19:15

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe

"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp

Files

C:\Users\Admin\AppData\Local\Temp\llPNUyKFyAH\_Files\_Screen_Desktop.jpeg

MD5 c8eea9f39e76f8cfa4f4f27f0370933f
SHA1 4b0f7d29a21a193a392151b7c465c99ccdcd3cb4
SHA256 043d9ae28eb69940535a586562945dc076f6992dced7e40b0b4a4cae7b52896c
SHA512 9f47bd9c221e06d70bcdab5f1dbfd360aad4f97ab2b34a276c76beb6d1ecf68305ef4d1d3f1dfa73d8bd7768f3f1099753e597975aaf0588165124f4292e734e

C:\Users\Admin\AppData\Local\Temp\llPNUyKFyAH\_Files\_Information.txt

MD5 ffbaf590b3a978db27b64063bd483a13
SHA1 549d598bde842ffa8f01aab1a8b13dd06c80574e
SHA256 81355f8b39107c92b41564542c3c35b14080b763b6e68049ff7fd4f8c8d96245
SHA512 bfcb4146799e9102ccd9790852795b3c962dc8297a8721dc5dcda526c5ac715fb7fa7f48e7f78ea997d897fed4f892a3d0f55bf920572222cb3aa37a45af3d69

C:\Users\Admin\AppData\Local\Temp\llPNUyKFyAH\IrnfGxiETkGvTV.zip

MD5 71e3e9a7dbe692599f42e69e2a339aa3
SHA1 119db87bca26e92ec2998b71741bc03f9f9b3208
SHA256 53bb3362c03d3f11833d39e87514e3042c47254a924b0a5026bb2ab593da460d
SHA512 51946eafd01dd9f7030e25a76ffe75d661e7fba4d0c13177de033e8e35b7b2437e2ed9b6d4c7d927c4a4b1c45f67330b5da442b44f8057bfe03d4981787c2b75

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 19:12

Reported

2024-01-21 19:15

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe

"C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\uQZCQAYfSxOHZ & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\CrybtBot Sealer Unpacked.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

N/A

Files

N/A