Analysis

  • max time kernel
    94s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:01

General

  • Target

    3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe

  • Size

    7.6MB

  • MD5

    0a711206f96133c8d28cd99b5910d705

  • SHA1

    a100de5f4dc7a8faf50a5f6292f088c22e943303

  • SHA256

    3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46

  • SHA512

    03e63875a95e9d18d67635388611862a6694278038134a0e4ab8b23c43a41774b33f3dcc38181bd4af6491b66a7f91b478820b1bc7b14d31e42f20779b9a506a

  • SSDEEP

    49152:Kucd9+zV4r7CLX0vDLhfFoGiux88wMKowWrpAXa9UWsnmWPh/pU02KbbgcPyzJsL:KumEwCLofapuG8nKjGGXx/qKxyz2

Malware Config

Extracted

Family

cryptbot

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Cryptbot family
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
    "C:\Users\Admin\AppData\Local\Temp\3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:3024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 932
      2⤵
      • Program crash
      PID:4124
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3024 -ip 3024
    1⤵
      PID:2912

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      httpbin.org
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      httpbin.org
      IN A
      Response
      httpbin.org
      IN A
      98.85.100.80
      httpbin.org
      IN A
      34.226.108.155
    • flag-us
      DNS
      httpbin.org
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      httpbin.org
      IN AAAA
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN A
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN AAAA
      Response
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      80.100.85.98.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      80.100.85.98.in-addr.arpa
      IN PTR
      Response
      80.100.85.98.in-addr.arpa
      IN PTR
      ec2-98-85-100-80 compute-1 amazonawscom
    • flag-us
      DNS
      74.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN A
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN AAAA
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN A
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN AAAA
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN A
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN AAAA
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN A
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN AAAA
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN A
      Response
    • flag-us
      DNS
      home.sevkx17vs.top
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      Remote address:
      8.8.8.8:53
      Request
      home.sevkx17vs.top
      IN AAAA
      Response
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • 98.85.100.80:443
      httpbin.org
      tls
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      1.5kB
      6.4kB
      14
      15
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      httpbin.org
      dns
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      160 B
      250 B
      2
      2

      DNS Request

      httpbin.org

      DNS Request

      httpbin.org

      DNS Response

      98.85.100.80
      34.226.108.155

    • 8.8.8.8:53
      home.sevkx17vs.top
      dns
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      174 B
      290 B
      2
      2

      DNS Request

      home.sevkx17vs.top

      DNS Request

      home.sevkx17vs.top

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      80.100.85.98.in-addr.arpa
      dns
      71 B
      125 B
      1
      1

      DNS Request

      80.100.85.98.in-addr.arpa

    • 8.8.8.8:53
      74.32.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      74.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      home.sevkx17vs.top
      dns
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      174 B
      290 B
      2
      2

      DNS Request

      home.sevkx17vs.top

      DNS Request

      home.sevkx17vs.top

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      home.sevkx17vs.top
      dns
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      174 B
      290 B
      2
      2

      DNS Request

      home.sevkx17vs.top

      DNS Request

      home.sevkx17vs.top

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      home.sevkx17vs.top
      dns
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      174 B
      290 B
      2
      2

      DNS Request

      home.sevkx17vs.top

      DNS Request

      home.sevkx17vs.top

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      148 B
      128 B
      2
      1

      DNS Request

      172.214.232.199.in-addr.arpa

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      home.sevkx17vs.top
      dns
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      174 B
      290 B
      2
      2

      DNS Request

      home.sevkx17vs.top

      DNS Request

      home.sevkx17vs.top

    • 8.8.8.8:53
      home.sevkx17vs.top
      dns
      3e8ce55b21c44c397fe6080de6dec506f468c011c05808a72e8d8a64af090a46.exe
      174 B
      290 B
      2
      2

      DNS Request

      home.sevkx17vs.top

      DNS Request

      home.sevkx17vs.top

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3024-0-0x00000000001E0000-0x000000000098F000-memory.dmp

      Filesize

      7.7MB

    • memory/3024-3-0x00000000001E0000-0x000000000098F000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.