Malware Analysis Report

2024-10-19 02:36

Sample ID 240123-bvxrraefdj
Target 681457fa460dff885eef657f166d5ef8.bin
SHA256 262448352a09eb1da2f969f825c849cce7ec7dbcb79deda59611ca94fa7f099b
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

262448352a09eb1da2f969f825c849cce7ec7dbcb79deda59611ca94fa7f099b

Threat Level: Known bad

The file 681457fa460dff885eef657f166d5ef8.bin was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

Cryptbot family

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Deletes itself

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 01:28

Signatures

Cryptbot family

cryptbot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 01:28

Reported

2024-01-23 01:31

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe

"C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 01:28

Reported

2024-01-23 01:31

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe

"C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp
US 8.8.8.8:53 unic16m.top udp

Files

C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\_Files\_Screen_Desktop.jpeg

MD5 b5e49f1fbd980dcfcae319727f1036ff
SHA1 67756731cceda77b955aa4a50675880c076038e9
SHA256 2f2cfae472ddab5d58efdad055875e671affa51be73565bd4995fce2e31adbd6
SHA512 2ea90083b24ed9abf940e8a7389c3b4ae93e47516e6f789fadafee293b26529767a1b266fb9deb471092ca6f526271485cf086a48a249d699689bd550e9b3b54

C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\_Files\_Information.txt

MD5 2d094c1af69d172848a7f480f1af6f68
SHA1 59dbf9849800d64e1e598ab0f875b1219ea55b88
SHA256 69d97fb41ef136c995b9bb73ba45b96b63ae142211194941163ee505a6853c0b
SHA512 66714c891c3f5598e04f89acfe635b13702251cda82e5ae68cd061b0c9894f988a337ea347f4212e851a83bcd6df54d2207e55d5d392db9ba526c28316506c1b

C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\_Files\_Information.txt

MD5 e24fed1ffa967f5128ebb49ef4d8aef1
SHA1 a2ad707f6da81e88f6df1284c9dcffb49762ccf8
SHA256 d722779316ac838fa7c33a0a4768754d632126f8dc9d7f57d57605c29a581d32
SHA512 52db06e170f914c234dd14af9fa9274309d725712533fb27d79ca3063846fe8eb916d0b8d90ced3be22b844e28d753f859a8c94aff39dde090cab01059a18810

C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\_Files\_Information.txt

MD5 67c77e77a00a38d972bc107209bbb080
SHA1 f2b305b253db2ebefa5361b9510a0f311c59d424
SHA256 aa19330e6cce7f491ea10b28b04550366caaecd721299a1b4762902cae41f2d8
SHA512 359e7777b42a6c42aeb5b51fffcfba4fd7caf608722cb5b2c36d8ff849bdc6c0c764e8e1dbe76d901b75146160722f0c3f6983e192c9efcdeafcf15272a4bfc3

C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\EcVdGeJTNQpTC.zip

MD5 98befa7052a255b88aa66b6503c09b53
SHA1 8b2443c7a8696646e1a79bc0b1585879490f7e8b
SHA256 6a631c42b4378fb6a73ac302ddcee0e4c1fd553d4f447cfbe670db5bd428ff7e
SHA512 6c3f236c63d0c5219b42da0e98b0c17d00b74b135efb585da3628438136a614d685dff99f637d8d082dff051f4bbbf0e0448813d44c2732a27e9a0de88151470