Overview

overview

10

Static

static

1

32_64_ver_1_bit.exe

windows7-x64

10

32_64_ver_1_bit.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 15:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    32_64_ver_1_bit.exe

  • Size

    1.8MB

  • MD5

    cf79a81627e7b71ca9bdd33ba812b7a0

  • SHA1

    26c35564bde9adcc2c56d062fce809ee2b4ee82d

  • SHA256

    607d4323ec499f3d2d39f10ce3e539442c2c8959be41afe20d6a2a68b5406f8b

  • SHA512

    79b1a6429432e4b4860f3226cf892c14a77cc8c9b55b8d4990c43af8a4d9f8ef09dfa6a43e2f05671ea4dc20625ccd1a1d3507c227a49f35ef74df892fba9342

  • SSDEEP

    49152:P5+hFYPN3BwAALqBZ3mpkPGx6pMYLI1i+3gj:P5aFYtBHb5JPG0pMCMC

Score
10/10
cryptbotcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 3 IoCs
  • Cryptbot family
    cryptbot
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.exe
    "C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo TvlxhcPW
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Scala.bin
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^UGUAzyVeUFVxwuQQxYTPPZLPHuxnJTHKMwKfMXhbVWVfsonCYVpiYXeUUtSjKbzqXlIZcAtvLcUTrvbmISmOKmLPZPcIywNbDVsiAnubQMvDepRbGzESXEdbnTqGyvdKIvdoydYpLwX$" Infine.xltm
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4964
        • C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
          Per.com Svelto.accdr
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3292
          • C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
            C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com Svelto.accdr
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            PID:1044
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\hkcyBgGqURST\_Files\_Information.txt
          Filesize

          1KB

          MD5

          058394286c43a5596ec32183b9cab828

          SHA1

          fbc3f0dd379759d96a2523591132e88a979dc0ee

          SHA256

          d4c2ba345acbb58e1f78a014451b9e8af523f4c0bb0024013cb382a285508c17

          SHA512

          3d535475c84cd1a81710ae7024b03ca73562b994f6159a05684c646d04413de6493eea6f116c163f39e72d6f4ebf19f9e4c662283ade942139ca8feefe635a5e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hkcyBgGqURST\_Files\_Information.txt
          Filesize

          4KB

          MD5

          e6a744744844299a306bf275466f382b

          SHA1

          86b7113d0903caffcc710a54cf21cad03f5aec54

          SHA256

          490a5d42445ec7aa2fcfb15b9a2a4555c506bf364bdb371038451b032f9fa4ac

          SHA512

          1792409741412d7537b1aa5d8b247e6d463cd5a4cfd4eef4a8d976ea2ca98ae4e85e2403fc0e7bfdac4619a5581a425acc382b7508e834282168920cbb1e6e72

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hkcyBgGqURST\_Files\_Screen_Desktop.jpeg
          Filesize

          50KB

          MD5

          43fb6cdedd9bcf443acd4b7080e971f0

          SHA1

          79e49233b2ea9b57cc66d25b6bc01d1e2f64354b

          SHA256

          ae738a6604990cd7b771aac066dca093dd0965299aaf393143ba1ecb1fbcc5fb

          SHA512

          e1b207d903616e41d6f3511b20245172c4575b984c3ef0f1ed1d5c35bd08457b60403ccaa435496201725d80f44906d3502e771c2a9ff953d7cad63e09556705

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hkcyBgGqURST\files_\system_info.txt
          Filesize

          7KB

          MD5

          f5e46d55c622d90a8605a15859c3507b

          SHA1

          c25d5284693a8c5e45d53e353f3e6504eaa3005a

          SHA256

          8669c5c32dd3500d57bd01f4a60bf47b8e79e23bd22733571c619f5988e67ff1

          SHA512

          cfc028fc4a281eae1a6b50256960903f6ddb431508d2a2dd887f5a851c3be2bc070480c8c3756537d5a4002d96bb7c166ad2c161d1e605d8217310f91246b9d0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hkcyBgGqURST\heCprZYGsspAr.zip
          Filesize

          45KB

          MD5

          927fafdfd959178b191e8833d3761d55

          SHA1

          23c6fa5398fdaa22f2f295abac705fc49efea1b3

          SHA256

          5944b97b11b04725619dc8bd68548f1be2c828c256a540fcbf0769a6562a6b37

          SHA512

          636bef10fa78ec92aae8cb1f9927212d217dd469504b5e5c0fe9cec30d585531d1aafe43f058187bc3ca63e0cc9e6c4cfeb239d07c7bcb6161155f59d1837628

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Infine.xltm
          Filesize

          921KB

          MD5

          e92c98933cb8a69f4270762f59f72f8d

          SHA1

          bbd1cd46209a4c42c5de13ac32c46ec2818b4eb0

          SHA256

          ca6f3d6fdc14ea694a2a010c8f2596cb9b99251d5e4ccd85386be58d39309bba

          SHA512

          1893cf45da05f56ed2f627d61189e4bd9fc179512b9d6fe315c3967b083447fb46775846c1cfe8d38bff4a2326f2323f7b757a2389dd04162d7ebf1181ba1c3a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
          Filesize

          921KB

          MD5

          78ba0653a340bac5ff152b21a83626cc

          SHA1

          b12da9cb5d024555405040e65ad89d16ae749502

          SHA256

          05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

          SHA512

          efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Saluta.potm
          Filesize

          888KB

          MD5

          94957cd5084b8a109eb5bc6b9889dc70

          SHA1

          bbaae28333a3871ce9aed0d0463cdd738624a9cd

          SHA256

          9855686bf0c7ad2d5cb8828ff2a4feae9a6d4bc6c21be391e51b96ab942aa08d

          SHA512

          13344363c786e454046923285eb889399afd26ad1e74f8a762062fc8c400f7f05a04e1bc593e08850d9226bca9ea67453065e9f12ae83acfd4cd6dc6a8126d07

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Scala.bin
          Filesize

          105KB

          MD5

          45c3b50fd2d0a49dbc60cd84e7625234

          SHA1

          3e95f809cd6cfa8c1dfe1ed8b3a61038d579e04c

          SHA256

          e9d23eea77b153d824699bcd00dde8ad297e97bb17b8ea4eccc23c4d5717f804

          SHA512

          87acd56e8a981ebfe49abe0eb4e4b9ed5768cb7fea080b65428e5dca9cbe5faaffad87aa5a24c74fd30a28be7ebf30f7f098c34e1ba99aa475269d9f88baf195

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Svelto.accdr
          Filesize

          615KB

          MD5

          7e6ab0703aa2bc01af332f11553bd583

          SHA1

          b5bf5e9f2467b4fd2ec4511a6f7856a3a0565182

          SHA256

          e1ab0437119b2b4e51f7cb068ee3a15ccc81b8aa00ea39f9e24b420859fab05a

          SHA512

          6313f5daf8559cad6734cd80d9be17d8c99608ac8e9086b51883f31b1d0d883c16c96cd120ba8c39afbe55fc7136d042b6452607114c8d6e4587020bddaa4c8f

          Download Submit

        • memory/1044-23-0x0000000000990000-0x0000000000A73000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1044-24-0x0000000000990000-0x0000000000A73000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1044-25-0x0000000000990000-0x0000000000A73000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1044-22-0x0000000000990000-0x0000000000A73000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1044-21-0x0000000000990000-0x0000000000A73000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1044-20-0x0000000000990000-0x0000000000A73000-memory.dmp

          Filesize

          908KB

          Download