Overview

overview

10

Static

static

7

66e4a87464...67.exe

windows7-x64

10

66e4a87464...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66e4a874645a4e5cffa45813dd5e6bc38dd218247ff784a0618a2d38bdb4a767.exe

  • Size

    2.7MB

  • MD5

    459b0f64c3cb635a03af588adcb98077

  • SHA1

    af3573b5a9ae95d061bb2c0f262a7759b6d8c309

  • SHA256

    66e4a874645a4e5cffa45813dd5e6bc38dd218247ff784a0618a2d38bdb4a767

  • SHA512

    17a53247ea4514c66abb01cecdc44919d768905df56eb6a15361b84c7ea07edc329f48b266406997b40e218cc28ad26b3d295eb55067aa92c3d85e4573b8457a

  • SSDEEP

    49152:wrIYJCr5CDFd4A53p7o6xPsvjV3AW94ltRH8I1zRp6z7R6N:wrzCrGFd44y6xPi53AWutF7A7E

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

kotbri22.top

moruzj02.top
Attributes
  • payload_url

    http://okavor03.top/download.php?file=acaboa.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66e4a874645a4e5cffa45813dd5e6bc38dd218247ff784a0618a2d38bdb4a767.exe
    "C:\Users\Admin\AppData\Local\Temp\66e4a874645a4e5cffa45813dd5e6bc38dd218247ff784a0618a2d38bdb4a767.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tceYomsIDhUp\BVGbRJtsUjVtq.zip
    Filesize

    55KB

    MD5

    8563e4b4b11867a5f3d024ffc0ab09b4

    SHA1

    ad3b29480bb6c349343a8527d7d77c893570eded

    SHA256

    2171987758768ea37302c51a7b136884c45b248f1d01e85c19e8ecad22867a71

    SHA512

    3be255e9451dfd015e7094221aa2e276a0779509332739688fda2279e36240c2e986347b08b65417cb41475a432ab27a396c3b25c8eacd0797ab0c083ed66188

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tceYomsIDhUp\_Files\_Information.txt
    Filesize

    1KB

    MD5

    e5e2cc3786e76a550ded4a0aeb771849

    SHA1

    5de9ecce6e36f776b93eba7e46af68c6092ea6f1

    SHA256

    c56971f137c3d6c4c319129f502681e3483a4ba1c1c71108c22c51c8ce437a3b

    SHA512

    01cf9c58837acfefa43a6c69c3f45d4f2000111027e4e7409a3ed13c7a8307e5460eb9ec8b809befc6ed128b121fff560bb649fc71a0fd2a69bd0d7db02760d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tceYomsIDhUp\_Files\_Information.txt
    Filesize

    3KB

    MD5

    b1ee5df3901e5769df8408440abba28a

    SHA1

    caf0d7c307221f4ab5cd111c7a4bb704b97587bc

    SHA256

    2e7f561f53bc523dae8eb8426e5c35a03ad4a3b666a1498e4d99551f0b19b27c

    SHA512

    ac1cce3aa88d301bd26c200a5e03d300bfa5a94a90ac0dba5892da717c4208e255ca9102853cdb0c32dc5ac68407b9f47e6d02b14f7039a1e095b25d2c79e55f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tceYomsIDhUp\_Files\_Information.txt
    Filesize

    7KB

    MD5

    a360d575e69ee95090962be867801b40

    SHA1

    e895912a5440e346069df620d76c4c0a63667137

    SHA256

    a84b44970f1d4e065d8678e7faf21c2946151faf18bea9e798b38e77ca3741c9

    SHA512

    b9a7d1f50cf139637b45ee6fd46fc38a54a4d0b170c5dc9b2aacf7b6da6d77cd88039de29c562d74c49e05ef010700e1c3cf1b86fe6f2a5070f1574245b4429b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tceYomsIDhUp\_Files\_Screen_Desktop.jpeg
    Filesize

    53KB

    MD5

    3127055bab916bb36c1bbcdee8b84217

    SHA1

    e178110c530669445ed5bc2d15b8c74c9e93d57a

    SHA256

    e5bc4c142a8c3979e2d00c0c19c5e7dbaf90681dc29167c35e17353f3385bf10

    SHA512

    f619591a1c4d7974533d049a1ac702f869df1a2d6da0aa28c53e0d897d223cc5f6b99d2a84160111c54a08cab58809b0a6cf320f65b2c110e8ec12eeffc6a728

    Download Submit

  • memory/2072-136-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-146-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-4-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-5-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-2-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-3-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-132-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-0-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-1-0x0000000077A74000-0x0000000077A76000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2072-139-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-142-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-6-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-149-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-152-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-155-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-158-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-161-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-164-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-167-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-170-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2072-173-0x00000000004B0000-0x0000000000BA5000-memory.dmp

    Filesize

    7.0MB

    Download