Overview

overview

10

Static

static

3

ac39195bc9...c7.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

DowloadX.exe

windows10-2004-x64

9

Download.exe

windows10-2004-x64

10

ipras.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/04/2025, 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Download.exe

  • Size

    2.1MB

  • MD5

    4cd4a697f1f93ab36d37c39c09a889e7

  • SHA1

    b434186b165d0bd1a1b9169aef3bf04644c34b78

  • SHA256

    6fbec75c90bd2c0ea247d7d21978ed1af82e706f9f2f0b579f7077e35fc16ec0

  • SHA512

    f0feff6abe140656c42536c9761c85625d62956adccd6a8075aa95c5ef06247970a42ad1c6065237198ab72a5915a86a14d960c1ed9593d34881f69d2f7429f9

  • SSDEEP

    49152:abr8BU1rxuId1OC9bSnkANGF7uE9jpQCSIt2nAZu1Bu32AU7z:iiUHuoQtNG5uOCRC2nMfGLz

Score
10/10
cryptbotdefense_evasiondiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

cede04.info

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Download.exe
    "C:\Users\Admin\AppData\Local\Temp\Download.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\tmeeif2qU3xO & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Download.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:3224

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\tmeeif2qU3xO\47283761.txt
    Filesize

    150B

    MD5

    405bc1fdd1ceed11e83db51121be5f85

    SHA1

    fb8dc95f32bb208771dd0daf12469b28343cd794

    SHA256

    e66ab784b5c19ff5d327f646b7add182e087c68d1fa1d65a1aeed99530b32013

    SHA512

    bc2a13aa6c45ba2dc23a187e174dddab4b1e49ba6b51f8f64be521242b8130604261fe868f699e374d3b76dbc8eced8d6311ff85f2a6b0e2909d2ab4179cb1dd

    Download Submit

  • C:\ProgramData\tmeeif2qU3xO\Files\_Info.txt
    Filesize

    8KB

    MD5

    fba221554296a32c20d81fb6e7f877f2

    SHA1

    f51a97c133a57b2d03d573d227a3ddbd8334b5b9

    SHA256

    991a5259916e19452ecd14538537a849f1b2b9ec51cf1f0844b280c10172af4d

    SHA512

    2d3a0b7ce6346d647d1eff5e08141822e9390dea3239637c91b8c9e1f52b8391af539c500868dc12d3b2639608656afac692543597b9c30260bd0c3761859c99

    Download Submit

  • C:\ProgramData\tmeeif2qU3xO\Files\_Screen.jpg
    Filesize

    57KB

    MD5

    d1fba32cc7d4cbb11261020fe2befa09

    SHA1

    0cfe0bfb1e473cd9c20a32b55bcfde780a590daf

    SHA256

    75e8057d500581b77dbcf6bfe20a4679a3eb7a5fa395896dfb5788d664e74761

    SHA512

    4581dc5f8a2891f66317f50f60897dbab8c2916e71f2cfae6138d68e3b32765b4f591ee35404435a308ae0e6b762475887f5a67b1bbf3dadf3f4513c090b69dc

    Download Submit

  • C:\ProgramData\tmeeif2qU3xO\JOZDXytv.zip
    Filesize

    53KB

    MD5

    0669dfeda1138bd16c016898c27a94e3

    SHA1

    11b313b13affb4c6adef06b843379b35bf02a2be

    SHA256

    3120bd9b969dfdf57f23596f2c19650e3c96ff7022a60ef5c9bf965fb238808c

    SHA512

    b27cbab0080fa17f15073632e80ed1f6d8744e9b5852eff229e6745ab5b0ddfff22b9236cd16c2a3a4fad59eaaba3607e54c05985d33a12babbe076d1bc75c01

    Download Submit

  • C:\ProgramData\tmeeif2qU3xO\MOZ_CO~1.DB
    Filesize

    96KB

    MD5

    6066c07e98c96795ecd876aa92fe10f8

    SHA1

    f73cbd7b307c53aaae38677d6513b1baa729ac9f

    SHA256

    33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

    SHA512

    7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

    Download Submit

  • memory/1312-156-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-163-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-14-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-17-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-20-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-2-0x0000000005250000-0x0000000005251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-146-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-3-0x0000000005270000-0x0000000005271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-152-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-153-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-155-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-0-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-157-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-4-0x0000000005210000-0x0000000005211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-160-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-13-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-165-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-168-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-171-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-174-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-177-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-180-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-183-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-186-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-189-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-191-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-194-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-196-0x0000000000F40000-0x0000000001417000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1312-5-0x0000000000F41000-0x0000000000FA0000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1312-1-0x00000000770B4000-0x00000000770B6000-memory.dmp

    Filesize

    8KB

    Download