Malware Analysis Report

2024-10-19 02:36

Sample ID 240124-avxlbadegl
Target 70f6d008869f17c3e7a0331102af159b
SHA256 ad7a74ddae7cc81d8610ab6bedb94857f38c03b795c4a612fbacc47941286709
Tags
themida cryptbot evasion spyware stealer trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad7a74ddae7cc81d8610ab6bedb94857f38c03b795c4a612fbacc47941286709

Threat Level: Known bad

The file 70f6d008869f17c3e7a0331102af159b was found to be: Known bad.

Malicious Activity Summary

themida cryptbot evasion spyware stealer trojan discovery

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Reads user/profile data of web browsers

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 00:32

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 00:32

Reported

2024-01-24 00:35

Platform

win7-20231215-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe

"C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe"

Network

N/A

Files

memory/816-0-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-1-0x0000000076FB0000-0x0000000076FB2000-memory.dmp

memory/816-2-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-3-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-4-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-5-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-6-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-7-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-8-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-11-0x0000000000AF0000-0x00000000012DC000-memory.dmp

memory/816-13-0x0000000000AF0000-0x00000000012DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 00:32

Reported

2024-01-24 00:35

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe

"C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 bundky32.top udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 bundky32.top udp

Files

memory/4884-0-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-1-0x0000000077B74000-0x0000000077B76000-memory.dmp

memory/4884-2-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-3-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-4-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-5-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-6-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-7-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-8-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-11-0x0000000000470000-0x0000000000C5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\_Files\_Information.txt

MD5 d833b41d54d47aed7bc762786e3bdad8
SHA1 b68aa241ec672d0ecf3746b9a18f95d8a85f2123
SHA256 6d990b8d524c08f810b49826fd032fd665da34dd055a191ee7a82a7f2783fc50
SHA512 0eab9b53a88afc526d5c3aa21a2bc8bdc82a5a698b14b7965d11b50e76ccc28a61ea2fbb93b8be5eb6a9dba206b741461b4394b50f7e9fe92051bb55c9e1d6f3

C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\_Files\_Information.txt

MD5 005306321219f19c072a205d2fb854e1
SHA1 e5370940cc32745c975c072a99e060615ee33c61
SHA256 a3efc7e529b500e39f7655eff7aecad4d54b496d094fcdd8d04bc2849586d570
SHA512 c0ff490c670a0b48e77c2647404d39ee9901ad2e73d893db84cea1f6c5c3e186b779cdb4f971608423c959d483c5b96ef0f65d1522af52a163a145966fd5e3c1

C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\files_\system_info.txt

MD5 cbf13a030532a2c5b7514989290273b5
SHA1 98e4c9b1de21e84bdea0b8dd7ecb2f1f2937e01c
SHA256 f94e0ae38ee503d36a2fab7962947388631614fd0dc030a53ce88f99c826b5f1
SHA512 6d533f5fb10c8026b44b49adf5e4abfaca7bde4e17ee9cde473438768c167ba3e626d6769393a76f805fa835a95090f3c9b5f5ac336ac8227617d7e91225628d

C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\files_\system_info.txt

MD5 1f1caafdc1691b749520e6afefb2487c
SHA1 d64f39b6e6158204b11b938fab6d9160fa212c3b
SHA256 60f3c380f8e666a17b8f7698241f84c33ecee72895458d42c383fba56d976514
SHA512 776d42c2572e196498ce4358b41c1b4dcefb15aec1c85958c3f8ab6e3d1684a551f2b39a3be88b0f689b38703500300048e42d09f3d89fd1988e3623ecaae5af

C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\_Files\_Screen_Desktop.jpeg

MD5 05efd7dd968d5559336850142e05aa7f
SHA1 8c15802bec9d36c2a427ba944e4149f24cba85f6
SHA256 faaabb8bf77f7a36fd38578199a80336e880a56e4c6ee71ab6448b5919e406fa
SHA512 730d07a01af346688f24a5878e27bee12758f2a569d22b0c5c571e9234b4b224b9dd53e2db67ce15d0714a5b6b7d626a57f636b8b4cadb63fc8102b653e2f014

C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\files_\system_info.txt

MD5 6f4462229c1ae64a5e0fb4b5aebea08f
SHA1 aefd4b3f1a57cf699892229e5997990633d385d0
SHA256 7143033f7bf773ba8f5ca759844f9d69f0105ec168e0d0be3fade84282100b3f
SHA512 e41996a552945c0e68d6c790e7d095fbbccf518d1797713ad30f1f0e34e9bde5395fdad52b3c29985b79b33fe619d074f96b2c4c519cca03b20d147189f226f0

C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\files_\system_info.txt

MD5 a8d666f80b1fbeb1ab1a4250286081a9
SHA1 bc3017b0bff38239307d3a21e09bee6823b720f5
SHA256 2e600e1eba6d8e30ae9283a1c4ed339a393575dbdc238910ab93a9dd8d553426
SHA512 46e67b9ee036b638d7b1a1a33c3fde0654294a9ee749c88a9a70ec691f90a0b410500512233734939deab74f0f075d9cd3959ea72c4e694745968fb68e644114

memory/4884-217-0x0000000000470000-0x0000000000C5C000-memory.dmp

memory/4884-220-0x0000000000470000-0x0000000000C5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\ujZsQEfhrT.zip

MD5 0603583d33d065aa16ec9551c184a6e6
SHA1 52655d16f016b64644dc8454cad5a7de449b59c0
SHA256 028cbfe24496e291e0029b2e9f94543f46fbb8e2fdd7f5ec93da3c74f53d4d76
SHA512 002037438cea27c6ed20596c4fbb800de757f5900d854d717f12dc04f2b43a505e795c7d69c73294c6addde95925be290bbfff933d8491b6be92b97a9c51eb1f

memory/4884-226-0x0000000000470000-0x0000000000C5C000-memory.dmp