Analysis

  • max time kernel
    92s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 03:13

General

  • Target

    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe

  • Size

    4.3MB

  • MD5

    67844ee11cdf53db1185db90d33cf907

  • SHA1

    33dc77a1ae23d6a5bc0da0429ad3f0f855c8d4d9

  • SHA256

    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09

  • SHA512

    f317adaa600efbe4db4fc630a8d971328b40e44c6b94fdc5bc8aafcf1ad47626a94db815dbf62e655de4600ba4b89651ad76ff7df71ec39543ca301f94524a76

  • SSDEEP

    98304:OYexTGTTGbdZZElFJWR3a+zn3kMkslFzf1n5MFJW43R8:WMTcdEs9VRnM3WYO

Malware Config

Extracted

Family

cryptbot

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Cryptbot family
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    "C:\Users\Admin\AppData\Local\Temp\f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:220

Network

  • flag-us
    DNS
    httpbin.org
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    8.8.8.8:53
    Request
    httpbin.org
    IN A
    Response
  • flag-us
    DNS
    httpbin.org
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    8.8.8.8:53
    Request
    httpbin.org
    IN AAAA
    Response
    httpbin.org
    IN A
    98.85.100.80
    httpbin.org
    IN A
    34.226.108.155
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    80.100.85.98.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.100.85.98.in-addr.arpa
    IN PTR
    Response
    80.100.85.98.in-addr.arpa
    IN PTR
    ec2-98-85-100-80 compute-1 amazonawscom
  • flag-us
    DNS
    home.twentytk20pn.top
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    8.8.8.8:53
    Request
    home.twentytk20pn.top
    IN A
    Response
  • flag-us
    DNS
    home.twentytk20pn.top
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    8.8.8.8:53
    Request
    home.twentytk20pn.top
    IN AAAA
    Response
    home.twentytk20pn.top
    IN A
    147.45.113.159
  • flag-ru
    POST
    http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    147.45.113.159:80
    Request
    POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
    Host: home.twentytk20pn.top
    Accept: */*
    Content-Type: application/json
    Content-Length: 481042
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.22.1
    Date: Sat, 21 Dec 2024 03:13:52 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 1
    Connection: close
  • flag-us
    DNS
    159.113.45.147.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    159.113.45.147.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    home.twentytk20pn.top
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    8.8.8.8:53
    Request
    home.twentytk20pn.top
    IN A
    Response
    home.twentytk20pn.top
    IN A
    147.45.113.159
  • flag-us
    DNS
    home.twentytk20pn.top
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    8.8.8.8:53
    Request
    home.twentytk20pn.top
    IN AAAA
    Response
  • flag-ru
    GET
    http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=0
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    147.45.113.159:80
    Request
    GET /WEIsmPfDcpBFJozngnYN1734366322?argument=0 HTTP/1.1
    Host: home.twentytk20pn.top
    Accept: */*
    Response
    HTTP/1.1 404 NOT FOUND
    Server: nginx/1.22.1
    Date: Sat, 21 Dec 2024 03:13:53 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 207
    Connection: close
  • flag-us
    DNS
    home.twentytk20pn.top
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    8.8.8.8:53
    Request
    home.twentytk20pn.top
    IN A
    Response
    home.twentytk20pn.top
    IN A
    147.45.113.159
  • flag-us
    DNS
    home.twentytk20pn.top
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    8.8.8.8:53
    Request
    home.twentytk20pn.top
    IN AAAA
    Response
  • flag-ru
    POST
    http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    Remote address:
    147.45.113.159:80
    Request
    POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
    Host: home.twentytk20pn.top
    Accept: */*
    Content-Type: application/json
    Content-Length: 31
    Response
    HTTP/1.1 404 NOT FOUND
    Server: nginx/1.22.1
    Date: Sat, 21 Dec 2024 03:13:53 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 207
    Connection: close
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 98.85.100.80:443
    httpbin.org
    tls
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    1.5kB
    6.4kB
    14
    15
  • 147.45.113.159:80
    http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
    http
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    495.7kB
    13.5kB
    363
    334

    HTTP Request

    POST http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322

    HTTP Response

    200
  • 147.45.113.159:80
    http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=0
    http
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    331 B
    544 B
    5
    4

    HTTP Request

    GET http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=0

    HTTP Response

    404
  • 147.45.113.159:80
    http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
    http
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    404 B
    544 B
    5
    4

    HTTP Request

    POST http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322

    HTTP Response

    404
  • 8.8.8.8:53
    httpbin.org
    dns
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    160 B
    250 B
    2
    2

    DNS Request

    httpbin.org

    DNS Request

    httpbin.org

    DNS Response

    98.85.100.80
    34.226.108.155

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    80.100.85.98.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    80.100.85.98.in-addr.arpa

  • 8.8.8.8:53
    home.twentytk20pn.top
    dns
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    180 B
    232 B
    2
    2

    DNS Request

    home.twentytk20pn.top

    DNS Request

    home.twentytk20pn.top

    DNS Response

    147.45.113.159

  • 8.8.8.8:53
    159.113.45.147.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    159.113.45.147.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    home.twentytk20pn.top
    dns
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    180 B
    232 B
    2
    2

    DNS Request

    home.twentytk20pn.top

    DNS Request

    home.twentytk20pn.top

    DNS Response

    147.45.113.159

  • 8.8.8.8:53
    home.twentytk20pn.top
    dns
    f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
    180 B
    232 B
    2
    2

    DNS Request

    home.twentytk20pn.top

    DNS Request

    home.twentytk20pn.top

    DNS Response

    147.45.113.159

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/220-0-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-1-0x0000000077134000-0x0000000077136000-memory.dmp

    Filesize

    8KB

  • memory/220-2-0x00000000000E1000-0x0000000000365000-memory.dmp

    Filesize

    2.5MB

  • memory/220-3-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-4-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-5-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-6-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-7-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-8-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-9-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-10-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

  • memory/220-11-0x00000000000E0000-0x0000000000C6D000-memory.dmp

    Filesize

    11.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.