Overview

overview

10

Static

static

7

installer_NEAS.exe

windows7-x64

10

installer_NEAS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    installer_NEAS.exe

  • Size

    2.7MB

  • MD5

    c29c49f54236b95c5f6228af66c651c5

  • SHA1

    92c2a13c39757b0b656b44e0d1bc55e98ed5cc00

  • SHA256

    0218dd62759681af9aa77bfbd8f43af8de695b7426bb74aecdcd9f25ee53f3da

  • SHA512

    4fd926d42951e3e29a9d7a78b787567d86a5ae01a5bdcbf56058dc61a86d71d6b7bf4254a6136e9844cf2530f1a9bb5f645b40e804cc1cc2602d89bf193a505d

  • SSDEEP

    49152:P9eUwdL4wRqh7YqAVpymthcNRhuvo5NMAN7q4HmfT5RhJRr0UUK81Ezw6HdPd5ik:85zgSt+svYNMAN7jOhJRDrwId

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

oct3m.top

oct3e.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\installer_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\installer_NEAS.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:4928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PocEUQmSNQ\JHtcuJDxWK.zip
    Filesize

    50KB

    MD5

    1ee53b171dfeec69748bd7c9dc29b6ca

    SHA1

    286bb38a11ee0212dac0c5366b1fb9a4a54d31c9

    SHA256

    5412bf1c23f89139a81c46de56490f7756b2cdbf17ef586424a1aec33c9983a1

    SHA512

    59452f400143d00aa2bd6520930f3915467e8de342061038f1f7b69348c47738935e8765578793adc82d6728874bd6409feccfc5f45b025cfcdd25a025e38ef8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\PocEUQmSNQ\_Files\_Information.txt
    Filesize

    1KB

    MD5

    3a30a40543d7f5d8476fd806497cdd62

    SHA1

    3f6320eb4a3dd11591a881ce1b301aec85d88a7a

    SHA256

    035b1e7082654f983dc255eaa829121350e4cd3430f2f38ef33a3d5611a749f2

    SHA512

    e8be495b15ab0c4145bb84e1fb8339d5adea0f8dece81ad4ea96e8b4525d9a2b75eb7e268bf8e9cc8a67559d8c94e7db37d41cb6c1129117e785b2f31dcbce4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\PocEUQmSNQ\_Files\_Information.txt
    Filesize

    7KB

    MD5

    302b2b14283952d2407bfe70d469bdc5

    SHA1

    792aba00b74a50beea87ef31d361cf52537f71d8

    SHA256

    10307cb5fb3bb63b698ea0aab8485842a63a1d6196722c0576b903f720010e34

    SHA512

    6e19ebd9eec8c690f57050090443c8116bcf3418240c5345d1683b5f93d54cfca59ef71c9ce2178ba24c6415d3b0d07f570132490492ede22bffc0fce5638915

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\PocEUQmSNQ\_Files\_Screen_Desktop.jpeg
    Filesize

    56KB

    MD5

    9bf45f41a67f67264088280db47c3f7d

    SHA1

    e4944f7b2be7219cd84a68c757e51c2bd63013ba

    SHA256

    78798bcf9351a99a705c9aef7037ab2fe9ff8c06294311c95f5863e823de7d52

    SHA512

    3c5d31f318bf6601dd3b44b027a9175496a292a40f1a7f930adaef3cc8bd639083d625f2bf67693381a49a55a070b9966a14c42444ab030f701e533b25388818

    Download Submit
  • memory/4928-5-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-133-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-0-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-4-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-2-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-3-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-121-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-124-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-1-0x0000000077204000-0x0000000077206000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4928-127-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-130-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-6-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-136-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-139-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-142-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-145-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-148-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-151-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-154-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-157-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/4928-160-0x0000000000020000-0x000000000071E000-memory.dmp
    Filesize

    7.0MB

    Download