Malware Analysis Report

2024-10-19 02:36

Sample ID 240124-mvvsyagcbq
Target 720783dc09fc172c0983eeb3b489564c
SHA256 70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df

Threat Level: Known bad

The file 720783dc09fc172c0983eeb3b489564c was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot payload

CryptBot

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 10:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 10:47

Reported

2024-01-24 10:50

Platform

win7-20231129-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe

"C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 knuzjh62.top udp

Files

memory/2988-1-0x00000000024F0000-0x00000000025F0000-memory.dmp

memory/2988-2-0x0000000000310000-0x00000000003B0000-memory.dmp

memory/2988-3-0x0000000000400000-0x0000000002406000-memory.dmp

memory/2988-4-0x0000000002490000-0x0000000002491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Information.txt

MD5 0711014736cadd9d62fb17e2b5c5bf80
SHA1 da13b150a095de44a03890882336c86570cb632a
SHA256 e11b7b5f7e67f1541f639adcca11be74a7aebaa05f10dbf0bbf4a2e897765b52
SHA512 061518f65545ae3354c1b7b541080b772b9d62975f114454e09551ca807886d0241f2174e1e64506af50e44112a517ee3f9f441aea0a2df33f6a9622f709f3d7

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Information.txt

MD5 3964d390dfc60d775ed64605053561c5
SHA1 f79da731e048aab22ef3de9f10cead9e0b0e9fb2
SHA256 a75b07188b19adba342495ed5cf56e62cfd652e30a254e9093cf5bcb5446cbfc
SHA512 2f0bb5ad62cce3cca9889a179c0da0e122aa80821f24b426a0b663716018e9ad0c6166b5c87aebec27e1e91d2977acd45496236e2f85e321cbaaea655ecd2ee0

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Information.txt

MD5 67778e70e9edc6e6f9dbeef3d1289fd3
SHA1 fd89b01ab880078e10bd0d81a6264e44093701c7
SHA256 19f9ff24e8d178b74be637d8da20eea9dc6061ce14854ad1d1b92bae3d9d8337
SHA512 68073c906866e625645fc246996961d3e58feb28bb2c3aecf5dd045f8c6e02314bfb2a6446876147c0b8c59892fc014b595d61f1d394f4a1560121e28f873cc8

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Information.txt

MD5 668ce412d429cb3a0c225dce3728a2fc
SHA1 5fe4336b2f31ce09f48afe0ee99f1f555bd78656
SHA256 a213facd208af1e82993e04d8bd1f3abfeddaa9cea2fa95862aa891e536202da
SHA512 5919cdb608e152093d103c13d8b47036c53f8ff36f84cf8c5ec5a4517e290c0ab87febefad2e1d089db6b87d724f1ee48c6936d242ebae0e5b5efcd2716b5a84

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\files_\system_info.txt

MD5 a72c4e038d21b8589c5e76b5db95efbd
SHA1 372f54d722a9c6a75fcb78ff510425b2b61fbe33
SHA256 8fd0b31dfe02a2cd472831122a488510038b2cfcb217d732861df2ad6b5adc06
SHA512 32971d2d5584a7164a32434ad63426b9197a90283de1c8bd351266150c226d31f4252f79c4557c66bf4ec9ba5ed6b41da136e8cbe8d2c7e3f4f83a0b50893344

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\files_\system_info.txt

MD5 381bf1811f1eed2b808b7f6b9f6b89d9
SHA1 8240593b30c4fc094dc3badf480bbc83adc72864
SHA256 79a7f6756387f8724b05d35792425af0fa40936f4ab615ae43ce8031c649a19b
SHA512 08d0b34a6814b8db2dc8d7d746fba6f860afedb71903ccea50fca0b4a22787589c43e9ab5bb6ae444fe76d61dcd90b78a2199932e08e489003d72edf1be379c1

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Screen_Desktop.jpeg

MD5 2b2597c6b0ea3a6bd3157813882d96f8
SHA1 1ceb1bfbdd614be82ce356e03655bdd6127678fe
SHA256 7f71340848a81ecd5288f7a97d28e5a870e69cba3f59168a0c743960c0c0f13d
SHA512 05eb58332a857c3312ab8b0a7da35be9c363eff54d06a69f8d6e333f3a40268c92bdc1eb0432f259a9fd0315dba116ca802e729acace6d594a5a6c984c323c35

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\files_\system_info.txt

MD5 684ba351d5c0ec6f3316afc3516f2cd1
SHA1 332635d0b10da4aa1ec471482bdb075ad61ec6dd
SHA256 0abdeb43834f717b2445ea4364c17dafc15ecfc9a542ac78d4a43807a6107b36
SHA512 b3a5b6ed3eab301a9ff9200c34514b0fca0bba292e72c0ec229dc47ff071fa5790b0456e805f7f2a698826a74211a3a5988f4d9b7b829c62e2ab07b827380da7

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\files_\system_info.txt

MD5 1860a288caa5253207f4529cd55401a7
SHA1 fca3c15c7e474994b04659b0d105366f41eb302a
SHA256 d2bd41fbb5a21816ffa400cfb18d3e89a75adead5dd25d11f5e231bee762bf20
SHA512 708789ce5032682de4a0b09758440566c13a8974304589aeadb948d0a9e82c435eca24e01302ec393d41deee7d4c45f27b5b3d0a6e1f7b011452a696c64ab590

memory/2988-221-0x0000000000400000-0x0000000002406000-memory.dmp

memory/2988-225-0x0000000000310000-0x00000000003B0000-memory.dmp

memory/2988-224-0x00000000024F0000-0x00000000025F0000-memory.dmp

memory/2988-227-0x0000000002490000-0x0000000002491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ev8JaGK\DWZgKStjZqykg.zip

MD5 9d4872c34d4fa6a0e19d36c0d82a7c3f
SHA1 e646009925c04bb7abea0db9fc1dfd6dd1c5db62
SHA256 6ba072b7a4200262ed86f4da0c48da415b0fd03bb808256ad0d9567ae40a5e72
SHA512 4ec8fc79700b0fafa498031a5879da366895f6326cd1d7e05329b00103255d1c70db8e40b82db68f301d12cb167487f914a29fa9921bf5cd908c3d653c6c488e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 10:47

Reported

2024-01-24 10:50

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe

"C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 knuzjh62.top udp
US 8.8.8.8:53 morwye06.top udp
US 8.8.8.8:53 morwye06.top udp
US 8.8.8.8:53 morwye06.top udp
US 8.8.8.8:53 morwye06.top udp
US 8.8.8.8:53 morwye06.top udp
US 8.8.8.8:53 morwye06.top udp
US 8.8.8.8:53 morwye06.top udp
US 8.8.8.8:53 morwye06.top udp

Files

memory/4340-1-0x0000000002620000-0x0000000002720000-memory.dmp

memory/4340-2-0x0000000004150000-0x00000000041F0000-memory.dmp

memory/4340-3-0x0000000000400000-0x0000000002406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\_Files\_Information.txt

MD5 ed9142ba627a4d40df81a9e7dccaaefc
SHA1 b446f953721d4b73dce5db9ccdcf8ee7054b9d8b
SHA256 5f6be384beaa5a3d6d83f1ac8cf92e0e50fd6e84920d8ece77034aafd7bebb74
SHA512 3a16d2e317425fd82cd91c4a64e2cadcf36b3cc880332830f395405608e5bfab255cfa4b1c1aa7b086f4fc38419b7d567f2838bbc3fdcea409868cbc01cc64ab

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\_Files\_Information.txt

MD5 ba2b2acce6f4bff98b95766aefa122ab
SHA1 032778f3d31eade9d91b3244270c8b75b400c77d
SHA256 e8934a028d9dec40f09c7035d8acc7ea1d93ea5f70f5b1c1ed2ae62c24bf1a21
SHA512 15ebc245485785e6c64727ca5da8928f4cd87ff7be17f2bff4cfa10e344927bff27e8aa88e2107f7237f92a7a176fdd6db05b0d3c027250695ea43952a6b22d6

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\_Files\_Information.txt

MD5 b2caf3322b8ca46205b66428ebaf62ef
SHA1 d7aec95ed2567ed3d924f9636757715c4747973c
SHA256 36c3fead154607ca32f98f5aab64bd8143bf1db7b7f8bde57d08045ac1b541ea
SHA512 488d3bf6d2ff28d2a382afb5afa8eca22587b7191e05bd787e0687d8f5b20bb495e4cf886b228cd9df100cd5b13fc84decbfc80925600ac4792790a2a745176f

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\_Files\_Screen_Desktop.jpeg

MD5 97c23900391c2b430dcc9ba0a0b23053
SHA1 9a1037d14f4a6d5bc736cf7673bd3e4d98c650b5
SHA256 18ea6f7e1efd00fd86ca385c9776c302ca7a13a37d2d6107c7665ad3f7b95830
SHA512 9b3a07fc6569b717135d849129b4e5df49675ce4e56cb1fdc37d31e76f088725dc5db1e176ffa7e5d87de07d109d295390c3347770ee36b531f00addb22b96a9

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\files_\system_info.txt

MD5 59f9354fd11aa5760597228093613520
SHA1 78e0046c41aab5aae8fcc6c169a946458277ff74
SHA256 a2dacb518067b1a190a02ea8b94d3690f8435561404cc103c81cdcb0165ea56f
SHA512 78672f14b8a9cf196901a8169d7d035ea87682e1dee87b24d48f47bb6dfc8ee16296c6c6cb1ddba142eca5a6f7d91cc0da8a37802dbe5cba253789d3bbe72fac

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\files_\system_info.txt

MD5 f693488194e528fb3ed1055c4d446e83
SHA1 854ae5b11303ad3acb57b81cd0a5e80a450ec06d
SHA256 3309043d4ecd26df4e583ac784ae16f0735cdfd495106dde3ccbc25567a7d83d
SHA512 e4f3e761026d364443bb5550e7cbf0503abab191d1b242f80607105230846642bfe0e8d34891978db88499771a85dd70d202bb431c55d057a479422054ed2976

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\files_\system_info.txt

MD5 d633532be5085bad69cacd15e794d0ab
SHA1 e596e1b1974c53335cbb61504558255b6f36553b
SHA256 47223e2779f0129de8e0d92733cf907c1e26e701485846abeae24ba2b882c1b1
SHA512 3ab8802108ae208a43235266e779d627ab7891bee04ea875afc594939cbc2a625c94d8d4d5464a3b33a660125e0bde26edf250556826babedce02b206883bcc3

memory/4340-208-0x0000000000400000-0x0000000002406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\5AIbdOQWKxW.zip

MD5 6b61bcf72bf18e4dbdeb9234894cbba8
SHA1 db58eb673791f46dc80f129b9c25a84aa887da2b
SHA256 39526454077167ac85b958827432ba7f4a816490098c52f1f66c760676851dab
SHA512 214ec8035098e5fcc218663e325f0eb828bc6c016fefd1ccb7a597078e2f15be219f822975e1dfe553881144bcdab8d822e82710324c0ca4e5e1e2a2cfe8bcd3

memory/4340-212-0x0000000002620000-0x0000000002720000-memory.dmp

memory/4340-213-0x0000000004150000-0x00000000041F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\AfobSHSaqYUF.zip

MD5 edab6b8368454d0dd2f26cea56985912
SHA1 b63f75be394e14aee31d8abde887efca19c233af
SHA256 50abaa96a85d33bb2880662457b053ffe57b41db118139f1eea34296800da154
SHA512 9beb2d17b9f55b06e2984c2041234629c3d5efc7837a9dd638708f7c6cfe9532c8d98cc006b9642167c0d52ec0a956651df8e43e25b1eeed5a894b44ebd4420f