Overview

overview

10

Static

static

7

66e4a87464...67.exe

windows7-x64

10

66e4a87464...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66e4a874645a4e5cffa45813dd5e6bc38dd218247ff784a0618a2d38bdb4a767.exe

  • Size

    2.7MB

  • MD5

    459b0f64c3cb635a03af588adcb98077

  • SHA1

    af3573b5a9ae95d061bb2c0f262a7759b6d8c309

  • SHA256

    66e4a874645a4e5cffa45813dd5e6bc38dd218247ff784a0618a2d38bdb4a767

  • SHA512

    17a53247ea4514c66abb01cecdc44919d768905df56eb6a15361b84c7ea07edc329f48b266406997b40e218cc28ad26b3d295eb55067aa92c3d85e4573b8457a

  • SSDEEP

    49152:wrIYJCr5CDFd4A53p7o6xPsvjV3AW94ltRH8I1zRp6z7R6N:wrzCrGFd44y6xPi53AWutF7A7E

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

kotbri22.top

moruzj02.top
Attributes
  • payload_url

    http://okavor03.top/download.php?file=acaboa.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66e4a874645a4e5cffa45813dd5e6bc38dd218247ff784a0618a2d38bdb4a767.exe
    "C:\Users\Admin\AppData\Local\Temp\66e4a874645a4e5cffa45813dd5e6bc38dd218247ff784a0618a2d38bdb4a767.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pqwmjoqpNGsvT\JWnDROZkmuai.zip
    Filesize

    60KB

    MD5

    9b5c6848ba48fa74a3ba5476808359ee

    SHA1

    0c902adb560cbaf9c390d4c677b9ebcf59b5e1be

    SHA256

    494f6a261520902bfc47e415d555a392eb3f289570e2e8f1f7c6153ac5bf5821

    SHA512

    fd3a9a7dc3ac7cee2f85b38742ad094605bab9e8dcd2577047a94a06f30cbe912cfc4ec76eb83361f28a41df36965f47421c1692c513d46d028e6478e1f51320

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pqwmjoqpNGsvT\_Files\_Information.txt
    Filesize

    2KB

    MD5

    9b49549ef2a13a7dca2abdeef7864f43

    SHA1

    dadc158c45cf593470caef97f7e4d7b49dc507d1

    SHA256

    9d20fd59a17d8cabd3dc600fb9e953e8d9dc9ccabea70580746d67cfb4009201

    SHA512

    db1bbecc3b36f7e022e37204320965db94f6e9135ce52bde4858c10ed7eaf02c90c65a6f8c58ebcd459dd236b6495e5f4c5a4effb920a85506306ea3b84c5561

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pqwmjoqpNGsvT\_Files\_Information.txt
    Filesize

    5KB

    MD5

    ba03d570ead9127cb007c5c88abcbbfa

    SHA1

    1abb4d2389604e59599cd1753b8e82ac8319a9a8

    SHA256

    c55f478e47ef2ada2d0c32fd95e06d06f7abb978ed570624288f882a86f82565

    SHA512

    1073e02bf4c5b34102313d50d6da123291f069417c9cdc7d3b2bd84225e4b5333f81ce5f09922e0571dce1ee58665d03037e043e7e70b0f2674088de5aabe0eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pqwmjoqpNGsvT\_Files\_Screen_Desktop.jpeg
    Filesize

    57KB

    MD5

    5ec8cf4b32196cb0865c59b050b19926

    SHA1

    d0d5e345860ba9577a0604134b0899e28fb49643

    SHA256

    dcad77bf5d85f7a13eb8165deb5c3a2ed6376197eccc7e3e63bc4f4c348d2031

    SHA512

    296705bf2749856b437c7f632c005c5215e56125ff66ffc6fc20027735c8b89f1e0ea9ceef54d651f0ddd5be6723efcec5133429b55bfb8e9a3a962efc52f0d3

    Download Submit

  • memory/2652-6-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-145-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-0-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-5-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-2-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-3-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-132-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-136-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-1-0x0000000077364000-0x0000000077366000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2652-139-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-142-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-4-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-148-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-152-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-155-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-157-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-160-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-164-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-167-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-169-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2652-173-0x0000000000630000-0x0000000000D25000-memory.dmp

    Filesize

    7.0MB

    Download