Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
-
submitted
13/04/2025, 02:36
General
-
Target
ac39195bc9a3f97ab72f608ba7e86c79b9de337862e290d7d00ba5e0aaf23ac7.exe
-
Size
4.2MB
-
MD5
9a111da409acb04e0aead5b1ad4aa204
-
SHA1
86a8b8f8c8e152de3804f38811279cd1e96aae0c
-
SHA256
ac39195bc9a3f97ab72f608ba7e86c79b9de337862e290d7d00ba5e0aaf23ac7
-
SHA512
f818a5403452b7d3965e387eb24af2f9a367baf4d247b67d13d5ca5a7132e9e412326f2c55d09ed7bd2c36aecb735cc5efcb346756117cae53d345512a59b121
-
SSDEEP
98304:oCUaoUgDLtLw4nJhbtyPXq2KCuVkOZJ8QzwqTEld+k6CgvQ1PIdskHNOzdo:oCUPJLtRnJd+Kl9Z+QzwqTqz6TvQ0BMm
Malware Config
Extracted
cryptbot
cede04.info
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac39195bc9a3f97ab72f608ba7e86c79b9de337862e290d7d00ba5e0aaf23ac7.exe"C:\Users\Admin\AppData\Local\Temp\ac39195bc9a3f97ab72f608ba7e86c79b9de337862e290d7d00ba5e0aaf23ac7.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Lass\Inst\Download.exe"C:\Program Files (x86)\Lass\Inst\Download.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\SNegUyUGYdgrwOr2 & timeout 2 & del /f /q "C:\Program Files (x86)\Lass\Inst\Download.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Lass\Inst\ipras.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Lass\Inst\DowloadX.exe"C:\Program Files (x86)\Lass\Inst\DowloadX.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e6964640c38b37d47d1af6f62d84293d
SHA15fb66c1612d6931f5b9411ac697225812783b18b
SHA256ae93c138b8c1e7b3af5853244f1bd81d723b4bdd487caf00fb47e308d324798e
SHA5128178e081f63d403702c117b8b6bbf46f437e11d553e7ac0fa4a65e7bbd73a8d3a4026799283edfaf4c7b78d0ffbbd30f69ede60af8306238643d65fd86d89e99
-
Filesize
2.1MB
MD54cd4a697f1f93ab36d37c39c09a889e7
SHA1b434186b165d0bd1a1b9169aef3bf04644c34b78
SHA2566fbec75c90bd2c0ea247d7d21978ed1af82e706f9f2f0b579f7077e35fc16ec0
SHA512f0feff6abe140656c42536c9761c85625d62956adccd6a8075aa95c5ef06247970a42ad1c6065237198ab72a5915a86a14d960c1ed9593d34881f69d2f7429f9
-
Filesize
126B
MD5b802ff9244875f69db2fae0f78e92b10
SHA149385a89cd575894a29fbda969b99cc1f5cf8076
SHA256a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
-
Filesize
150B
MD5405bc1fdd1ceed11e83db51121be5f85
SHA1fb8dc95f32bb208771dd0daf12469b28343cd794
SHA256e66ab784b5c19ff5d327f646b7add182e087c68d1fa1d65a1aeed99530b32013
SHA512bc2a13aa6c45ba2dc23a187e174dddab4b1e49ba6b51f8f64be521242b8130604261fe868f699e374d3b76dbc8eced8d6311ff85f2a6b0e2909d2ab4179cb1dd
-
Filesize
8KB
MD530d55d3db01270454841629851c7a30f
SHA1743d8c0f80e8810994482d498946f9a69f897ff1
SHA256591a329037a8dc61d91b2a4ce4f88e58beb38cfe12016faa0f7a907a02bac746
SHA512ee48f88e441b4b5674020d5a45144f83633817257cfd947df0b138e7678920286ee45eff6e6a678ba212fc5d34d5e3b89d89157e2f33465b88fd59b647a88036
-
Filesize
47KB
MD53c118153158eefb16a18fcec67c66b2d
SHA1bb29d9ee508299dc0b2ac026252b9b5cfd62405f
SHA256db190dee05dce816bb792f5cb3b7b649bff719a002165162944a2d6ca421025c
SHA5124f667f8073e20c20da6a89959f993dc6b2e3c648909bbc00f726039201bc5deb7250802fc406e4c642c03e7da777ba01f28ddfc18fd93d484f8a840662e76b35
-
Filesize
96KB
MD56066c07e98c96795ecd876aa92fe10f8
SHA1f73cbd7b307c53aaae38677d6513b1baa729ac9f
SHA25633a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53
SHA5127d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7
-
Filesize
43KB
MD59ee56369b9e3d56a243f64b2fd110064
SHA15b62663e92eeafea63ca91b760f2985a8bfd854d
SHA25618cb7c82ab8a5a234c2fb50f9fb94400369b05644433a8e699f177bc0f011aec
SHA512acac4a935be8aaca0e5edaa8c5ce9d100c804e292f7c6004886bbef93fe1e14b3cebb0993381bc0453649ab6d255a8e77266992cc4a0ed9881c59befc064e080
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
Filesize
15KB
MD5ca566c1d412cdc9fde51d2379c52b7a2
SHA11bf17d3cf5180e9fd857bd6ff44881381c730503
SHA25634c63c1b14a0526b6f3f7c33a37235f94b06ce4ea0b01d8e0b08956c5c9e1102
SHA5129b5d062bda9e24154f744e52e2707c3ac572a9ed50a5474f367afcc3d37e4390ebc2a8c7e75017557090aee21275936a15265e0d4bce8dda7f7eb23819dd8704
-
Filesize
15KB
MD5481066a78b1b9985cdfb2c0f0bbe3c3d
SHA1b78c952c9d67a3b78eeaec34814e919e621c1363
SHA2564cb259a13d5810f3f5385cf8ffd1892a92fdd6243c8049d66bfe7c700eac6979
SHA512c08c528e502e8fae014b322f057ed1e17d3023c1c3b2bf6d7bbaa90ac79bd355547125c981a4cc3d695c7bc4cdfefe6b98abcc44c984f02a406e74b0cdc4a420
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
380KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
4.8MB
