Malware Analysis Report

2024-10-19 02:36

Sample ID 240122-fklzqagghm
Target 6ec80a2e8194a457f2f555506986e490
SHA256 48ab70d33532409f5394c271fe0fba6234b15b36584234d5b595b9791972bec1
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48ab70d33532409f5394c271fe0fba6234b15b36584234d5b595b9791972bec1

Threat Level: Known bad

The file 6ec80a2e8194a457f2f555506986e490 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 04:55

Reported

2024-01-22 04:58

Platform

win7-20231129-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe

"C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 morxeg03.top udp

Files

memory/2024-1-0x0000000000600000-0x0000000000700000-memory.dmp

memory/2024-2-0x0000000000310000-0x00000000003B0000-memory.dmp

memory/2024-3-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2024-4-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Information.txt

MD5 0c43cfb68af2109f0c277371a7b6daf1
SHA1 8564c9996910cd8292a7cb7630b8d2e83d0f92a3
SHA256 6660737f23a35608a609193f1cb74b3f9b234d3bf102f584af0266ef5104dbd2
SHA512 eaed2d40cd2d695d49b43d971309c0e1dcd86229df2766b7bf44828a5be5d5f3f54f069e7361679712857b420b80b753bd58f53b1289872e3747ad3fddf4607b

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Information.txt

MD5 66830ac012a3563ec7d14de3a09d77ee
SHA1 3628cce373fd075ac009ae843d3264fdb88a1ebf
SHA256 f67e18b1d0b585ce8a8f35c9de41376bc538a2ab2b008013330b43540470c4f9
SHA512 5c51acbca7e15eaf1375d7df2678c2680498cd27921b1025153e15ecc184f51f97fc494108f19b978b4d002d0a4fa008d2f333723b27fa97a2c50336088f27f1

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Information.txt

MD5 213e63ab19d7decb83c253813ddf76af
SHA1 8ba0c69b9eb042a19904ed4e2adccbb605fa6306
SHA256 98bc228c80efa014bc77a49dbafaf29a1d12e3b379b7b6a9cf9e50f77d2479e5
SHA512 b84d21d64038ac74419a94e2ade8c3e74c631750749ba23db39b717cb7e65add7ea9eaa14fdc50428e81c971cfde80da065ac31c790e110c1ab62a4ffebd5237

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Information.txt

MD5 bf29f9cddfd81b9116bcce6775cc39f7
SHA1 d0f49372295e0bc98c7273eda1240f8e91eeaf7b
SHA256 ba8347de95d826dac29789ea28d39706614c2b0f8fb79539f146bb506e646925
SHA512 4c0bdff0501c97a4d93c950a710f462495e7cbb120f89d49aab2f6f8a985a0c0365af7be44ce1631d8c06b7d7fb93c3f669ba6abde24c6f13641d2b7c8360330

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\files_\system_info.txt

MD5 a0e153cca20254757c789969bc462d5c
SHA1 7402d4a15d63784ffb8c7604339665416d97ef49
SHA256 e77c0f1fd0413f20fb14ae6def1b1faf479b3857c3275dc5fbbad92ed3b02762
SHA512 1f1f78e606147b1ca69362c79f8dc438e6a49ca90aa6d7e73ad502a490d5985b926ff48599774717fa851991aa6d8ce62ddbfe10e8e8a39ad7a5fcd30b312236

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\files_\system_info.txt

MD5 e0c53319d8ac3414eefe798ab79bdd10
SHA1 4bace5f5b1c3805a95e629bb2a83de78d835ad6a
SHA256 a9d08c0a178ee1f405dd7b0c470eb962d0a1d72696908e2d60891a33578dc249
SHA512 f03a61db0c7868a2c7f8d166a2b4ae902c1530e53119e7efd28b9697d1d40381d233e684e5f09cb5f5f7c5c2246a52f4836449da5d432ff7050a70e46671fb57

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\files_\system_info.txt

MD5 95fc5ac6bfeaa486af470eb4f0d1a680
SHA1 10e7fac789107c73d057ab0bf30d8c6c26f34d64
SHA256 b21a1553ebb95d8a894e7c5b2bd27ae3cad74374a696cb412ccb52682f9c2ff8
SHA512 c77b741ed886eae0dec6ecc0259560b32417e796eb3aa5eb6dc7dade8bc7bc268cb4cf99c053e5ee5646109abca6d1fff0bfe0b7c81c2bf4b8b396539973e432

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\files_\system_info.txt

MD5 bdaebbad51f1d45481c6487d1478166b
SHA1 dfd8532c7a969fbef603cfa77155caddb44d381c
SHA256 6eda7a621fe064fea5db1b5ca64bc4698e4ea4a7eff143b0e9cf0ada4c8e2d28
SHA512 72f54b169e8dedabb81629700aba64e44e103344b992b20e056fe60937e2b57a7ffb40f8d586114faf8e7a8cc46e73a2e3b278bebdd72de1d9cd9c68285fe870

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Screen_Desktop.jpeg

MD5 a881dabf737d7817908cc26aa471d8d6
SHA1 97c2e25cba9c356a4f52b94f87ad08a2be6b67ce
SHA256 994a53be4febcda1534f6dd3b257c8db28e6cf787ec8e136906ed789def682c5
SHA512 44d9cc5bd4c63700b1eb3484d5c3ab074239e7bb081971ebd0b21faf48dc85cd514a9aee8ad38f53000bb611550b375312464efccaad6e26375cf3195f2c0f5b

memory/2024-222-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2024-224-0x0000000000600000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\m7xXV3dhgENwNL.zip

MD5 71b72055997ddff01da3b102fe7de6d9
SHA1 a040c8f78734960f1e821eaf40b54ad708d3557f
SHA256 16b5277220a4474de6034d503d83b0af04e0fbbcd58dbd54659d080d6b704dcc
SHA512 465bd5bc3b99ef65a0a38b7cf68082b4e48aa2c9451fefbfce61436943a4e02554ee03c655e06f3e5f6e5037772e21e3b1dca48a09e208a0740719b9862dbded

memory/2024-227-0x0000000000560000-0x0000000000561000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 04:55

Reported

2024-01-22 04:58

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe

"C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewayab32.top udp
US 8.8.8.8:53 morxeg03.top udp
US 8.8.8.8:53 morxeg03.top udp
US 8.8.8.8:53 morxeg03.top udp
US 8.8.8.8:53 morxeg03.top udp
US 8.8.8.8:53 morxeg03.top udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 morxeg03.top udp

Files

memory/5016-1-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/5016-2-0x0000000002280000-0x0000000002320000-memory.dmp

memory/5016-3-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Information.txt

MD5 d0474047dbe87fabc657fef78ee45b23
SHA1 aa3074df1faf0d4c959bd6ecede2d10e687f9a49
SHA256 b4dadb9c063b6876b247041f42400e0120f1ef44fb1993314001ba62cfcf7efd
SHA512 a52b724232d39797f427935b82052d1a4a116844fb1060e29c27bfa28b208292fae5a6ddd5b0badd04a1dbdac65796a23a68b143c76a73a2d59dfcbdce5d7603

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Information.txt

MD5 f81e0a1e03870d9264a43f7fe8e7a94c
SHA1 62c0bb4c5234d417ceab896693260a3a55d8c64f
SHA256 9ae1b95f19618228214c7954f412cdebdc1f0b99d0bd8432d7bb9fef0301a7d3
SHA512 e037f64689596bc50cc8973110d29ea511181e749a97f7f751893c3c4188f8c10462f0b8e96643916852a92028e5547c132c9b3ad14f6e2d0f9a8ba716b6efb4

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Screen_Desktop.jpeg

MD5 774081a8ccc56ed0e9bbd7df1f01249a
SHA1 b5a22c89a49cf3e8748582dbec7a02c294c682bd
SHA256 f9772ebf0cd4987ddd9b42df44b50959150688a79df82abf824c44d31fe5c90e
SHA512 0fcfb42f257fce9bb8bbc70f048811febdaea76694ec196dbfbbb1f9f68cffa1ed22a7a63959fbf1237144a01266c51efe79a9f2ece4b7860ccdd0a25480aa58

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

MD5 4f724cefa97bb4fca3804fa468bde6a0
SHA1 d7a28ecb7f866873da085d848c4b14faa9931489
SHA256 5912ec80b75ecdbd11ec07d94fd3e77e06f4ce1fcef216d918c05054a61176eb
SHA512 1f314e92b60a674312692dc3ba78192499d5344f98095ca53bc55ce9c8f0fc64477a35c17f501711d35941f1394a3072076559459d0486cfb2284892c92c02e9

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

MD5 37769fff937f3cdb56086916cd587ee9
SHA1 82f58aa10d170714c93df517f4d178075fc983c5
SHA256 10275f334bf55560f82b9b90521c3f8bc3612c156b50962578f7cda5058ee05f
SHA512 a4198d456cccf0f8f03a7e6cf51a6fc424225bf879706bf497944f4134af5afcd8f343ed6a18096112fd3c114f43188e235293b17f29bc1392791a41830696ee

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

MD5 1c2d8d0c21f2df423b31c819f12cf5a2
SHA1 cd05230d8c988299549ef37f3060f75b4867ca61
SHA256 c99873e5569df8472c8d4cef35cb4cee93f50675c03fa75361df8c43cb6212d5
SHA512 50e5ad2b87fd9889f630348c011466ea27c4117eee40b8c9986117601222ecfbf65851228213bbd0318723d10e59613ca88f150935330d4559780c999d0945be

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

MD5 fd35fc9d91abb1c23b967ea1280349c9
SHA1 2e7b0591883f78cfc8a4c3b5c1aa244d8c7302e7
SHA256 b746ae11f722311cdad620c221d46e24f858192c9132e6066e9c9a467a2298f9
SHA512 137fc5ffaee74412756cc5022029c7a473ebf34c9dfc28eae20a385e8ea2ebc6ef27e2bfea5c372fa1b6ec7a908cfd4f76d36a6fad30f372063671fa45c172e3

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

MD5 0255332dc6670a1a4315beb31f2b5583
SHA1 9d8f8bc1a99b23dc3fbcfbb8957e2532d36726e3
SHA256 24e5f522cee8ac191f6019e71cd0d44cd4482b0cf49fa0c52851abbf0095e6d6
SHA512 27b3be19590559d1756681db0868f3d770a1f7c5885151b03633b188d5cf5eebeafb41eb0d3486de297c47838243534595e3a6f24de69465cd751489b27d4144

memory/5016-208-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\tlpouQWYxBOd2g.zip

MD5 25f6e6c21ed122f9cf7c61749d88a0e4
SHA1 3bc265074b1164e53b635c99d7571b73d6cc0c1c
SHA256 3a0c80f1d57b3e60df2649630f016abb498a361161a2ac1785768beacaa66d44
SHA512 afb9e50c8edba170a4affbe8c5c05cb00f877cbe780c08068cd5edebad36848d8cf7a0d4b955e8fad68c7cadad406e7bb0493113b5103d099b726a80b37d2565

memory/5016-213-0x0000000002280000-0x0000000002320000-memory.dmp

memory/5016-212-0x00000000008E0000-0x00000000009E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EGsZqzd\ZhjtyYCiM.zip

MD5 c189d7bf8606cb60894236a7a6d43019
SHA1 4d3792fe786e9ecba3bb473d77a75953a05a1c33
SHA256 f703f42aef42e9f62876ded850caac3978b0e3b7bb68db2d55d3f22996b3c2bc
SHA512 45533ef418e9dd33e43fc66e9b6ed0e872a065bec0b5b5b583053da9b46d25cd07557ad9d11c82dcdd65aa60906f76e3777424ba665204a233ac9ebc3df649fe