Overview
overview
7Static
static
3HSBC_UKToo....6.exe
windows10-1703-x64
6$PLUGINSDI...ns.dll
windows10-1703-x64
3$PLUGINSDI...LL.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...al.ini
windows10-1703-x64
1$PLUGINSDI...rd.bmp
windows10-1703-x64
4$SYSDIR/CF...SP.dll
windows10-1703-x64
3$SYSDIR/CF...PI.dll
windows10-1703-x64
1$SYSDIR/CF...IB.dll
windows10-1703-x64
3$SYSDIR/CF...11.dll
windows10-1703-x64
1$SYSDIR/CF...RV.exe
windows10-1703-x64
1$SYSDIR/CF...sp.dll
windows10-1703-x64
1$SYSDIR/CF...sp.sig
windows10-1703-x64
3$SYSDIR/Cr...BC.exe
windows10-1703-x64
7$PLUGINSDI...em.dll
windows10-1703-x64
3$SYSDIR/Cr...64.dll
windows10-1703-x64
7$SYSDIR/Cr...86.dll
windows10-1703-x64
1$SYSDIR/np...86.dll
windows10-1703-x64
3CryptoKitH...86.exe
windows10-1703-x64
1com.cfca.C...x.json
windows10-1703-x64
3com.cfca.C...n.json
windows10-1703-x64
3uninst.exe.nsis
windows10-1703-x64
3HSBC_UKeyTool.exe
windows10-1703-x64
1Analysis
-
max time kernel
514s -
max time network
516s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30/05/2024, 09:46
Static task
static1
Behavioral task
behavioral1
Sample
HSBC_UKToolv1.0.0.6.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ioSpecial.ini
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/modern-wizard.bmp
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
$SYSDIR/CFCA_HSBC_CSP.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
$SYSDIR/CFCA_HSBC_GMAPI.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
$SYSDIR/CFCA_HSBC_LIB.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
$SYSDIR/CFCA_HSBC_P11.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
$SYSDIR/CFCA_HSBC_SRV.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
$SYSDIR/CFCA_HSBC_scsp.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
$SYSDIR/CFCA_HSBC_scsp.sig
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
$SYSDIR/CryptoKit.HSBC.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
$SYSDIR/CryptoKit.HSBC.x64.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
$SYSDIR/CryptoKit.HSBC.x86.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
$SYSDIR/npCryptoKit.HSBC.x86.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
CryptoKitHost.HSBC.x86.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
com.cfca.CryptoKitHost.HSBC-firefox.json
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
com.cfca.CryptoKitHost.HSBC-win.json
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
uninst.exe.nsis
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
HSBC_UKeyTool.exe
Resource
win10-20240404-en
windows10-1703-x64
General
-
Target
$SYSDIR/CryptoKit.HSBC.x86.dll
-
Size
1.0MB
-
MD5
d6093ec468e383c616154ec1c92e3f53
-
SHA1
9dd2406105c67f86085c9a82475c1e903690dc81
-
SHA256
fa69867c017873a36f500ff84dddde62439e3960dfae7d30b4038a4b56e834b2
-
SHA512
10ab0650d7e8e294cb6d4b7a7ff3e6e2ea4f1893be32eb00bd5db4bee0b2e6b51dab50e0f66500bf5602f1eec3abc236b3492cec97afa67470928d6260676e89
-
SSDEEP
24576:59imEEBDlFxRvhxB3srzAzj2ByAEmXsa+:59ijgfHBGzs2oAEosj
Malware Config
Signatures
-
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\ = "{772C831A-5AB0-4E66-A03D-1174F8690D40}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\ = "{772C831A-5AB0-4E66-A03D-1174F8690D40}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\ = "CryptoAgent Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ = "ICryptoAgent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\ProgID\ = "CryptoKit.CryptoAgent.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\CryptoKit.HSBC.x86.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\VersionIndependentProgID\ = "CryptoKit.CryptoAgent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\ = "CryptoKit.HSBC.x86 3.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID\ = "{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ = "ICryptoAgent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\CryptoKit.HSBC.x86.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer\ = "CryptoKit.CryptoAgent.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\TypeLib\ = "{772C831A-5AB0-4E66-A03D-1174F8690D40}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\ = "CryptoAgent Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID\ = "{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\ = "CryptoAgent Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\ProgID regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4144 wrote to memory of 4808 4144 regsvr32.exe 74 PID 4144 wrote to memory of 4808 4144 regsvr32.exe 74 PID 4144 wrote to memory of 4808 4144 regsvr32.exe 74