Overview

overview

10

Static

static

3

ac39195bc9...c7.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

DowloadX.exe

windows10-2004-x64

9

Download.exe

windows10-2004-x64

10

ipras.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/04/2025, 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Download.exe

  • Size

    2.1MB

  • MD5

    4cd4a697f1f93ab36d37c39c09a889e7

  • SHA1

    b434186b165d0bd1a1b9169aef3bf04644c34b78

  • SHA256

    6fbec75c90bd2c0ea247d7d21978ed1af82e706f9f2f0b579f7077e35fc16ec0

  • SHA512

    f0feff6abe140656c42536c9761c85625d62956adccd6a8075aa95c5ef06247970a42ad1c6065237198ab72a5915a86a14d960c1ed9593d34881f69d2f7429f9

  • SSDEEP

    49152:abr8BU1rxuId1OC9bSnkANGF7uE9jpQCSIt2nAZu1Bu32AU7z:iiUHuoQtNG5uOCRC2nMfGLz

Score
10/10
cryptbotdefense_evasiondiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

cede04.info

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Download.exe
    "C:\Users\Admin\AppData\Local\Temp\Download.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:2596

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\xpuzRUkXrIDtL\47283761.txt
    Filesize

    150B

    MD5

    405bc1fdd1ceed11e83db51121be5f85

    SHA1

    fb8dc95f32bb208771dd0daf12469b28343cd794

    SHA256

    e66ab784b5c19ff5d327f646b7add182e087c68d1fa1d65a1aeed99530b32013

    SHA512

    bc2a13aa6c45ba2dc23a187e174dddab4b1e49ba6b51f8f64be521242b8130604261fe868f699e374d3b76dbc8eced8d6311ff85f2a6b0e2909d2ab4179cb1dd

    Download Submit

  • C:\ProgramData\xpuzRUkXrIDtL\Files\_Info.txt
    Filesize

    8KB

    MD5

    a3263048a4b720417578d24136612cde

    SHA1

    28e9409639ad6416812892e000df46af87a03168

    SHA256

    4eec53f0e2d2a21ed317e4f149630cc2ce73c4ee308e51ddd613ef403d6c8aed

    SHA512

    202c9db8eaa9de56023f2e07a4048f87db8287b036c76b0007f15150c5568959ef5d4a2652f27cbf27d9c90fb3b6daf644e4b421facdb97c15b7fde517f43f29

    Download Submit

  • C:\ProgramData\xpuzRUkXrIDtL\ZsjdWUiGb.zip
    Filesize

    51KB

    MD5

    41230cfc61a1bf7fd76252acf19993d4

    SHA1

    78130662d4e03e243c605e9a425f71fb26866b9a

    SHA256

    af34f07622e5e4d1c60d7dd3eddef04a7558386db6c59906ef6d1190ed2c49e6

    SHA512

    b869affb1776a9cbe8f64c630f1fa1bd652f7c567858f3905af3e59538ee0b55c7053f6ffeeeb66cd2230e53f2252c0dc281065569bc01636f97d7196960c691

    Download Submit

  • memory/2596-154-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-156-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-2-0x0000000004E50000-0x0000000004E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2596-15-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-16-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-19-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-3-0x0000000004E70000-0x0000000004E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2596-4-0x0000000004E10000-0x0000000004E11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2596-145-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-151-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-152-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-0-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-155-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-5-0x00000000005A1000-0x0000000000600000-memory.dmp

    Filesize

    380KB

    Download

  • memory/2596-158-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-1-0x0000000077314000-0x0000000077316000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2596-161-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-164-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-167-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-170-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-172-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-174-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-177-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-180-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-183-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-186-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-189-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2596-191-0x00000000005A0000-0x0000000000A77000-memory.dmp

    Filesize

    4.8MB

    Download