Malware Analysis Report

2024-10-19 02:36

Sample ID 240122-jxbajabgfm
Target 6f25a0962565b1974bedce661c201529
SHA256 89425ed57b370731f3eb964d7d2bfce74b8e9e4be1be23ad76990c2d3da93579
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89425ed57b370731f3eb964d7d2bfce74b8e9e4be1be23ad76990c2d3da93579

Threat Level: Known bad

The file 6f25a0962565b1974bedce661c201529 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 08:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 08:02

Reported

2024-01-22 08:05

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe

"C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp
US 8.8.8.8:53 ewafxq25.top udp

Files

memory/3556-1-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/3556-2-0x0000000002190000-0x0000000002239000-memory.dmp

memory/3556-16-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Datar

MD5 d63e3a8d4109b7212d419e17141dd862
SHA1 c9637da0763277477e60128ae2cd26fb314fa80a
SHA256 0cdd05fd9d9515c99e713a0cdf201fae20cd5db884c08a292ce16471725c521f
SHA512 dfee6ccabfe03415bea0d817ac0c393e98b54a0dfff102f0eee21c8e85d903e11a073aa97b7a3e8b95d88d5f86afd4c9782e7618e3119727da1e01d4895315e2

C:\Users\Admin\AppData\Local\Temp\LYwW3uoPxqt5\_Files\_Information.txt

MD5 59378601b3e5dff7077189d9e88edd4e
SHA1 f8fad865550fc83baffcd14c63a9043423b6cef7
SHA256 fdc3cc7b6801278364279ecaae8a67cbab8a88fecaac2d1004f2c9aed050a3ff
SHA512 20d93ef7c567a206cc310240598727dbc84e3ba10464315b8e1a63e19452f18f2e1cdfb0376ccca37e9076e0e7e6386783d2e119545741d1ef5c9aec1b8d77ab

C:\Users\Admin\AppData\Local\Temp\LYwW3uoPxqt5\_Files\_Information.txt

MD5 851e61f67e428ba4c08837784ad10173
SHA1 25e58c4e6d603c07e1cd165aceac15abdab9f0e0
SHA256 10d963505f5dbd25180e2c9aa2b93637fb1d224b87af6d56e73c0a08df87e157
SHA512 872efab6d6af65d9e00a98c3c74e1abe93a0d18b1086bfad36a239ca69c4b12f3a2ba19c568b5633f917cd5f6ada8410f99b7765a87d38a37582e91c1169dbdb

memory/3556-121-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3556-123-0x00000000006F0000-0x00000000007F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LYwW3uoPxqt5\tijWaTPZSNlVK.zip

MD5 e38a6436d8821813c7509cb0e861d06c
SHA1 2a3ae589abe31b98b20c8f3beac13744bc275a4b
SHA256 b0041af3dbd4f36964fe66be3b1b380fbbf15f57d9a7d4e055e3b0cc6dd7a8de
SHA512 0dbf85b2604a9f6903c859aa0347025922f6ff6fc573e62ae6723dc39be3ec435e90e8ad15cea6027c6d34f5e9ec2ddbdb7e9f369fc3b7a3efc483ccac905e49

memory/3556-127-0x0000000002190000-0x0000000002239000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 08:02

Reported

2024-01-22 08:05

Platform

win7-20231215-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe

"C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ewafxq25.top udp

Files

memory/1032-1-0x0000000000690000-0x0000000000790000-memory.dmp

memory/1032-2-0x00000000002B0000-0x0000000000359000-memory.dmp

memory/1032-3-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Datar

MD5 c5ab22deca134f4344148b20687651f4
SHA1 c36513b27480dc2d134cefb29a44510a00ec988d
SHA256 1e9bd8064ca87d8441e2702005ef8df9a3647d5542740737abb8a70be7ec9512
SHA512 550f45132525e967d749106b9d3b114d17b066967527bfd5c66613d61b6f3995f87b0f3c09def19eed14b5b757f2501645b5103505d126f1dd66994f50e1257e

memory/1032-18-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wkusYT6\_Files\_Information.txt

MD5 ed83f3066a915cc1f8e9d02206cca3e1
SHA1 f7ee5d8c68dc6370961283fcfa5ba8e81476012c
SHA256 c6a5232084fce611bd18ba42c0c1c94192d577d50d650d39ee780022b9933ec7
SHA512 b774ef12fb8573a46c4af266d05e6a934246f3206491c8b63ac48320f1f7ec2e8f751136a47ef9951608dcbec1e17c4afa9347276b23e7511de8ac8c71d01a90

memory/1032-128-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1032-132-0x0000000000690000-0x0000000000790000-memory.dmp

memory/1032-133-0x00000000002B0000-0x0000000000359000-memory.dmp

memory/1032-134-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wkusYT6\WWKr3o1Tvz.zip

MD5 610ddca0af15f5ec9d2b43c05ddc4536
SHA1 35e018d5798f99cfbb0ed8e51df8c021d664fb6b
SHA256 e474d941116286e0326167badd970972df41b5aa97753e3226d0fc682b2d86e8
SHA512 775fc10742031a0b70b65de6b504a2edf72d1c446f1b5979799ceeaa36f802842c575d66354da8d2b2beefdac965493a6768301e1db4d74d3f48ded5409c1934