Overview

overview

10

Static

static

3

6f2f7f2ce0...18.exe

windows7-x64

10

6f2f7f2ce0...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Setupres.exe

windows7-x64

9

Setupres.exe

windows10-2004-x64

9

VMProtectSDK32.dll

windows7-x64

1

VMProtectSDK32.dll

windows10-2004-x64

1

ipras.vbs

windows7-x64

8

ipras.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    2.2MB

  • MD5

    112612c1ceaf7965ed7beb7d2341e0e2

  • SHA1

    4a2e3df41d122e0ab2e4d8b774e806554f4a6296

  • SHA256

    b5ee04d73e9cfa30a1719d2cbf9d17e76a5c8dc6149f9bb571365d5ee5b00072

  • SHA512

    5ebf8b9f98497c35629d6924e03ca5d7661fea4ff5ae46ae56c56111f38d3af2ad51818d4363985424991e53663d1b96c366d84cbeb34dbecf641e7d09c1eeba

  • SSDEEP

    49152:8NE9c7j+VxRCE0ntUyaDou+DuPSQQN/630zOKDYhKk:2j+0jntUODuPwdyZKDYhKk

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

biss01.info

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\PMf26YKoN8aTolh & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:708
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\PMf26YKoN8aTolh\47283761.txt
    Filesize

    156B

    MD5

    b5089e0c5a3d5377e9bd19c0557ef04e

    SHA1

    9402e326be3d240e234c06892b15c24e93c93eb8

    SHA256

    d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

    SHA512

    942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

    Download Submit
  • C:\ProgramData\PMf26YKoN8aTolh\Files\_Info.txt
    Filesize

    8KB

    MD5

    c6ee6a7ab9b77686cf57fc7ae10a2ab4

    SHA1

    1574a197fd6149eb2f820d3d5dcaeaf48474a09b

    SHA256

    beccedef92c92e655d75f92219b3ef874771c8dfab95bc91b63e9608029d1e95

    SHA512

    2a6d57b2f58bbb70e37cafcde51612271afd90a621137fbd9b5e9f631797da5eb42d802a5a88611331ddd11e2eb50a3b5f8c29c43bf17eba9466f087ee47959f

    Download Submit
  • C:\ProgramData\PMf26YKoN8aTolh\Files\_Info.txt
    Filesize

    1KB

    MD5

    43f6639238e97b835e764817ed790622

    SHA1

    9a80abc9675eb78d9b22bdcd0cc73cf80fe112b0

    SHA256

    7430cddf0f439dcf6edbee18e9f1054166dda11445f9584dfc5ec93c0df93a53

    SHA512

    31a0795a4fc64a7bfd2559d440a298519c0a49d240698e089b336e9ebdd04d84391c6b6fa8ee99183dad9c99386071f2f2a09af0ed90b82f8dab98b43aabbaa8

    Download Submit
  • C:\ProgramData\PMf26YKoN8aTolh\Files\_Info.txt
    Filesize

    2KB

    MD5

    1ad7b2f4ca8d894965e4b34eac3cfb1d

    SHA1

    2d6c864e58e7b65cf57bcd67b4bb73af2927ca7d

    SHA256

    2d10704e5ba73a54c839359831bf113ec03ea99a6068a5a979e4e131470ad34e

    SHA512

    597c84cdb4fdccac7ffb26a29cceddd3c876cb2650c53eb9d9990e12fe805d36f2ab9e9640ada11e0bc1424cae27a3f5a9407da69d41de629acfec381bc5f963

    Download Submit
  • C:\ProgramData\PMf26YKoN8aTolh\Files\_Info.txt
    Filesize

    4KB

    MD5

    18676ac89d770d8f5a8fd0f710fe7e92

    SHA1

    0a782ed65c31c2390597b4cdab0dfccbac042f12

    SHA256

    eb8d4b2135c250d758348f1fd3a0b6da3c581b89c58322aa79b422daf947dfb5

    SHA512

    6cc904723faf4a0c6cd6d05f22a63cd89335f0c81883b272df1931f8fa8eba40b631dc3510e501509acee4f4a1a10140bbdf8572121d4052b467bc3e52383363

    Download Submit
  • C:\ProgramData\PMf26YKoN8aTolh\Files\_Screen.jpg
    Filesize

    51KB

    MD5

    5fa3528b745090b3112653f305c20823

    SHA1

    951b8a311ce3f01fcbb59fdf6ffde5dfe3a1b94f

    SHA256

    541b64894cd8061f5ac2857465fbd31dfb00c1bd79aa4fd1e3587cf2661542eb

    SHA512

    a2354c74cd4ced8a35907363d3e37dc2cb76fcc519b19f3650d7d9018efd0d793f705f3e9d70794c6c1083a823bd04ece0e993b388db33db2f9f8059e6e0c26f

    Download Submit
  • C:\ProgramData\PMf26YKoN8aTolh\MOZ_CO~1.DB
    Filesize

    96KB

    MD5

    d367ddfda80fdcf578726bc3b0bc3e3c

    SHA1

    23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

    SHA256

    0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

    SHA512

    40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

    Download Submit
  • C:\ProgramData\PMf26YKoN8aTolh\njDsWUBSG0R.zip
    Filesize

    47KB

    MD5

    dfc27f04441350c9458f7091522bd6f5

    SHA1

    fa4de3ae5d6e380dea4d6553a594a63416f9cad7

    SHA256

    875336205eb914a162e39ac4b58810568d5ad9d2dbee577fc898b83d725475ac

    SHA512

    73a1f965787eeac5432ca00a586e5bf8d6df2537a6ab5e801cc231d2e49762f22f1356c4fd340e0ac4a2d4c056de45ba3e10e0f3136a6a75db0fb03fb733e860

    Download Submit
  • memory/4116-154-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-165-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-17-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-16-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-5-0x0000000005070000-0x0000000005071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4116-6-0x0000000005080000-0x0000000005081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4116-151-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-7-0x0000000005010000-0x0000000005011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4116-0-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-155-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-157-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-159-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-163-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-20-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-168-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-171-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-175-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-177-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-180-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-184-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-186-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-189-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-192-0x0000000000A70000-0x0000000000FA7000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4116-10-0x0000000000A71000-0x0000000000AD0000-memory.dmp
    Filesize

    380KB

    Download
  • memory/4116-4-0x0000000005050000-0x0000000005051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4116-1-0x00000000779B4000-0x00000000779B6000-memory.dmp
    Filesize

    8KB

    Download