Overview

overview

10

Static

static

3

f667ab33b4...64.exe

windows7-x64

10

f667ab33b4...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f667ab33b49d8b8389e116a05849032cc2e78a7578b12cdd07ed89a931c3c464.exe

  • Size

    6.3MB

  • MD5

    94ae98d3e8368e90f7777ee3df51da77

  • SHA1

    513b8681ac6088324731af512cb44ea49d223d27

  • SHA256

    f667ab33b49d8b8389e116a05849032cc2e78a7578b12cdd07ed89a931c3c464

  • SHA512

    945d77ed3e8aa250025b5d04ec60d06163c2556c0453d6c81af06031a1fd053c6cdc272bcfff71c0405375d669759b7e076122e490d5ad8c3fda7bfee9198f7c

  • SSDEEP

    196608:BH6U57641LiUDQVnzWG/VsqUaJlReG73o:F5+7UDc9ZE

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

http://ivyzhi22.top/gate.php

Attributes
  • payload_url

    http://womozi02.top/agnize.dat

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f667ab33b49d8b8389e116a05849032cc2e78a7578b12cdd07ed89a931c3c464.exe
    "C:\Users\Admin\AppData\Local\Temp\f667ab33b49d8b8389e116a05849032cc2e78a7578b12cdd07ed89a931c3c464.exe"
    1⤵
    • Checks computer location settings
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\f667ab33b49d8b8389e116a05849032cc2e78a7578b12cdd07ed89a931c3c464.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\timeout.exe
        timeout -t 5
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\C5C7.tmp
    Filesize

    32B

    MD5

    39b6370997409b97ddc041e443c9ceef

    SHA1

    30c7aea10e33fd73307970f46dca78263fb7de5f

    SHA256

    63af70ff74d466e63001c800c82449c93bcf08a2c240587330066980be948c40

    SHA512

    5a3947786060ad7aeb5f8ee7bccdc6eccf48e73a9f0499712c074cda78c0800207aee264e94878033c23f8fb2bb349af307084c8dd57ef4b9d394b06c484550f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\C6D4.tmp
    Filesize

    116KB

    MD5

    a0b00443f5a134c95ca43dc41e6dd095

    SHA1

    3f734b453265ecacf1f661ba4843e3f3f739225b

    SHA256

    0b66864d5e1709fd9163da7627a422a43856e8b3251dc571df9f6a3993947b7e

    SHA512

    8460158d0d0220aef1ccb1c68f956bbc82734bdb959b620fe38375526890a7f3c8a92777fdcfc1a40e1101209820e01d344b89348227bea16d10e9ae1af73f7f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CC3F.tmp
    Filesize

    8KB

    MD5

    7520956b737e2ddcbbf4585661df8657

    SHA1

    b04b79181f63f6bef16a09c0ddcb00cef50ca9d4

    SHA256

    a921e2dbabd5d15f0080ea3517db28e1599c2cd1de4559f567f285cc463741f4

    SHA512

    44f5bb4bb4eb1d2736f3c32bf067d708de1c9d01f2d5506d5c80a98a1632de8897d58ccb7166d15f720d63b56d3e9bdea0ac6fa5c9f1fef74f52e3a241b6b3ad

    Download Submit

  • memory/2440-2-0x0000000000400000-0x0000000000E16000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/2440-1-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2440-0-0x00000000004B6000-0x00000000007C3000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2440-5-0x0000000000400000-0x0000000000E16000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/2440-111-0x00000000004B6000-0x00000000007C3000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2440-112-0x0000000000400000-0x0000000000E16000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/2440-113-0x0000000000400000-0x0000000000E16000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/2440-114-0x00000000004B6000-0x00000000007C3000-memory.dmp

    Filesize

    3.1MB

    Download