Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

random (2).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    17s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/03/2025, 01:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random (2).exe

  • Size

    6.3MB

  • MD5

    4ae8af6fba92e19af09d19070b33c7c2

  • SHA1

    a72132f73981dcacfa2d322176121152a880ef19

  • SHA256

    cf284105b76caf1f2f775de2207e9743ca4a479924b06b0ab3a41251104953f3

  • SHA512

    a0be0da126a2f67741448303ff22a0cd0c92cd9a19ff7e9f03bceec3320eebe7ea7d31f76a52b399a1c83dd975cd3da2111258cc42dd04bb578ed70651f5fe53

  • SSDEEP

    98304:hjQBHwSW6RBfuVbx3/4pIrZC5EimIfFUsidrV2XJsNf7tnMhXWKsTA0KIY9E:hcBHwSwVmpaZP/ItSHKsTAQY9

Score
10/10
cryptbotdefense_evasiondiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

http://home.fivenn5sr.top/DoDOGDWnPbpMwhmjDvNk17

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    defense_evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\random (2).exe
    "C:\Users\Admin\AppData\Local\Temp\random (2).exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4036

Network

  • flag-us
    DNS
    httpbin.org
    random (2).exe
    Remote address:
    8.8.8.8:53
    Request
    httpbin.org
    IN A
    Response
    httpbin.org
    IN A
    44.217.196.51
    httpbin.org
    IN A
    3.210.109.241
  • flag-us
    DNS
    httpbin.org
    random (2).exe
    Remote address:
    8.8.8.8:53
    Request
    httpbin.org
    IN AAAA
    Response
  • flag-us
    DNS
    home.fivenn5sr.top
    random (2).exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivenn5sr.top
    IN A
    Response
  • flag-us
    DNS
    home.fivenn5sr.top
    random (2).exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivenn5sr.top
    IN AAAA
    Response
  • flag-us
    DNS
    home.fivenn5sr.top
    random (2).exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivenn5sr.top
    IN A
    Response
  • flag-us
    DNS
    home.fivenn5sr.top
    random (2).exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivenn5sr.top
    IN AAAA
    Response
  • 44.217.196.51:443
    httpbin.org
    tls
    random (2).exe
    1.5kB
     6.5kB
     14
    16
  • 8.8.8.8:53
    httpbin.org
    dns
    random (2).exe
    160 B
     250 B
     2
    2

    DNS Request

    httpbin.org

    DNS Request

    httpbin.org

    DNS Response

    44.217.196.51
    3.210.109.241

  • 8.8.8.8:53
    home.fivenn5sr.top
    dns
    random (2).exe
    174 B
     290 B
     2
    2

    DNS Request

    home.fivenn5sr.top

    DNS Request

    home.fivenn5sr.top

  • 8.8.8.8:53
    home.fivenn5sr.top
    dns
    random (2).exe
    174 B
     290 B
     2
    2

    DNS Request

    home.fivenn5sr.top

    DNS Request

    home.fivenn5sr.top

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4036-0-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-1-0x0000000077776000-0x0000000077778000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4036-2-0x0000000000891000-0x0000000000B2A000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4036-3-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-4-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-5-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-6-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-7-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-8-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-9-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-10-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/4036-11-0x0000000000890000-0x0000000001461000-memory.dmp

    Filesize

    11.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.