Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2024 09:10
Static task
static1
Behavioral task
behavioral1
Sample
c0fa3c59100f35ac8fcf45e2905bb274.exe
Resource
win7-20240729-en
General
-
Target
c0fa3c59100f35ac8fcf45e2905bb274.exe
-
Size
4.2MB
-
MD5
c0fa3c59100f35ac8fcf45e2905bb274
-
SHA1
68511f15f8853e9c386943f9fb8bf82eb78d7b82
-
SHA256
2d55c0295fd39fac3023f8a1e23a77dc5c5e9894cac08430a67151bc04b31151
-
SHA512
349bb282594df0e21b67a287d484227e35a33da6fc8efe135ce83c97df3f1b9cfa693f23228a6a37ab2cc0971e02aef874847bd8817817f3891a271673f7d43a
-
SSDEEP
98304:jQTr76WfxhRVDZZMj2rT+BwXaUPSIFIQZ24HKSi4W2yprOT:O6KxhpZMj2rJNSIaQk4H1W2e
Malware Config
Extracted
cryptbot
Signatures
-
Cryptbot family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF c0fa3c59100f35ac8fcf45e2905bb274.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c0fa3c59100f35ac8fcf45e2905bb274.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c0fa3c59100f35ac8fcf45e2905bb274.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c0fa3c59100f35ac8fcf45e2905bb274.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine c0fa3c59100f35ac8fcf45e2905bb274.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0fa3c59100f35ac8fcf45e2905bb274.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe 1468 c0fa3c59100f35ac8fcf45e2905bb274.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0fa3c59100f35ac8fcf45e2905bb274.exe"C:\Users\Admin\AppData\Local\Temp\c0fa3c59100f35ac8fcf45e2905bb274.exe"1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1468
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requesthttpbin.orgIN AResponse
-
Remote address:8.8.8.8:53Requesthttpbin.orgIN AAAAResponsehttpbin.orgIN A3.218.7.103httpbin.orgIN A34.226.108.155
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request103.7.218.3.in-addr.arpaIN PTRResponse103.7.218.3.in-addr.arpaIN PTRec2-3-218-7-103 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthome.fiveth5ht.topIN AResponsehome.fiveth5ht.topIN A81.29.149.125
-
Remote address:8.8.8.8:53Requesthome.fiveth5ht.topIN AAAAResponse
-
Remote address:81.29.149.125:80RequestPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
Host: home.fiveth5ht.top
Accept: */*
Content-Type: application/json
Content-Length: 439593
ResponseHTTP/1.0 503 Service Unavailable
Connection: close
Content-Type: text/html
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request125.149.29.81.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthome.fiveth5ht.topIN AResponsehome.fiveth5ht.topIN A81.29.149.125
-
Remote address:8.8.8.8:53Requesthome.fiveth5ht.topIN AAAAResponse
-
Remote address:81.29.149.125:80RequestPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
Host: home.fiveth5ht.top
Accept: */*
Content-Type: application/json
Content-Length: 439593
ResponseHTTP/1.0 503 Service Unavailable
Connection: close
Content-Type: text/html
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTRResponse107.12.20.2.in-addr.arpaIN PTRa2-20-12-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesthome.fiveth5ht.topIN AResponsehome.fiveth5ht.topIN A81.29.149.125
-
Remote address:8.8.8.8:53Requesthome.fiveth5ht.topIN AAAAResponse
-
Remote address:81.29.149.125:80RequestPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
Host: home.fiveth5ht.top
Accept: */*
Content-Type: application/json
Content-Length: 256
ResponseHTTP/1.0 503 Service Unavailable
Connection: close
Content-Type: text/html
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
1.6kB 6.5kB 15 16
-
81.29.149.125:80http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862httpc0fa3c59100f35ac8fcf45e2905bb274.exe22.5kB 904 B 19 17
HTTP Request
POST http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862HTTP Response
503 -
81.29.149.125:80http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862httpc0fa3c59100f35ac8fcf45e2905bb274.exe19.7kB 664 B 17 11
HTTP Request
POST http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862HTTP Response
503 -
81.29.149.125:80http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862httpc0fa3c59100f35ac8fcf45e2905bb274.exe627 B 344 B 5 3
HTTP Request
POST http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862HTTP Response
503
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
160 B 250 B 2 2
DNS Request
httpbin.org
DNS Request
httpbin.org
DNS Response
3.218.7.10334.226.108.155
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
70 B 123 B 1 1
DNS Request
103.7.218.3.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
74.32.126.40.in-addr.arpa
-
174 B 226 B 2 2
DNS Request
home.fiveth5ht.top
DNS Request
home.fiveth5ht.top
DNS Response
81.29.149.125
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
125.149.29.81.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
174 B 226 B 2 2
DNS Request
home.fiveth5ht.top
DNS Request
home.fiveth5ht.top
DNS Response
81.29.149.125
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
107.12.20.2.in-addr.arpa
-
174 B 226 B 2 2
DNS Request
home.fiveth5ht.top
DNS Request
home.fiveth5ht.top
DNS Response
81.29.149.125
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa