Overview

overview

10

Static

static

3

641665ec1e...18.exe

windows7-x64

10

641665ec1e...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

1_1.exe

windows7-x64

10

1_1.exe

windows10-2004-x64

10

file.exe

windows7-x64

9

file.exe

windows10-2004-x64

9

file.vbs

windows7-x64

8

file.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1_1.exe

  • Size

    2.1MB

  • MD5

    5a2a75f58899cde4c6f0db01e76ec957

  • SHA1

    687a13b27fc71c0f5b13bbec024a7355d68e9366

  • SHA256

    5f542d4b44d1cfad8c47508393fe2695a6165faa0010db45c6a83345e06981d6

  • SHA512

    1beed060bf19b93ee6928141e53d8957bb7a06054a38f18f4a03cdd04d8bcff20f6b388c128c04b8ddb337f05730b877b8f44b9b7a1ed4473df6c4e35e229abd

  • SSDEEP

    49152:1RQHZCG6lEfw7FclTsIvv1+91BrweH6m71CL5eHYRW:1v7lYw5Ivv89vT71CdeHYE

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

otteppp05.top

doorres02.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 21 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1_1.exe
    "C:\Users\Admin\AppData\Local\Temp\1_1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\I0kSu835nXDi.zip
    Filesize

    325KB

    MD5

    283fbd067e3a026c46402c4f3924fbe4

    SHA1

    1eedc40b4ba46a4c17fb67abe434ba9ebdf8b313

    SHA256

    0df4bc3c3004761d3568c9328e89d819f037b535abe6f36a59258c6bfaf30afb

    SHA512

    1697f11f41fb6a554204db649e72e620daa08421cc2be71d1961fa4021091bc2bafe921a24b4c1f15f2dfbaf5ebb9353c8e3a9f1e0e5134b72384639d96cc54a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Files\UndoRemove.txt
    Filesize

    283KB

    MD5

    e6d0058aa7e5f1d051e4f2ec72bead39

    SHA1

    ad3fae0834649dd4d71b10d201936f7e608b96e7

    SHA256

    9732affbb95fb110631e0e28b75edd1b464dca98b7c34f46593a5a294581db03

    SHA512

    2736b242a7fd006a6de316061486a5163f47552d765693ff59b9286f472e36095844f0a0828f81b75dc49486d4f01fd2b84703ec851d85816cb05d5973f2b599

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txt
    Filesize

    4KB

    MD5

    c1a9280789538c57e7ded844e051ec95

    SHA1

    3d15fa02ef0db6192af925e5696a608d63edadc3

    SHA256

    d22dfc7c3763059886e4233c23abf56f8d9959c79b4d6794ea34f0d543b5a8c2

    SHA512

    2155a895c732a556077ab323db1ba1aa842bd5d31998042de0afdd34d903274bc0ee6ee7d4875c5d4b1bd87e47c4faf538ee1f5461d664185ff85c77eb770b2b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Screen_Desktop.jpeg
    Filesize

    48KB

    MD5

    9809e054486fec3f80031fb91c1b41ca

    SHA1

    4fd85c16fe7f31f69e4dea4a70f6093b2ae8c3de

    SHA256

    b67dfeb365d5f9494474765bca94641d7796be873c079cc9049265eed212899f

    SHA512

    3291a8d5f91202ab8a0b229d5bb3eccfbc89729e185a76bd588566fa745b6c0068c1afdff531386a26104f079481f8beabea53911fbe3109de57c0236a0b4253

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\bFogcARCIrQ.zip
    Filesize

    325KB

    MD5

    994da235310c1fe244839c7abee8d4db

    SHA1

    df57fa4e7c61eaca518f6b3c4e51f7c116c53d41

    SHA256

    e9642b70979b1d5d201307e8849d18d9ca0222e401d35037776ff732dff050be

    SHA512

    607076f34d107e7f18ff901d0ad52c5062ecb8077ef35d24acccf43eeed9e01a0a4c1783770d8a185855062e3b7258a96558411672001a9c32d4ff56c5807dd5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txt
    Filesize

    660B

    MD5

    35e134ef802e9fa49465eb0919055d90

    SHA1

    a03a8f3d18ac750b03fa6f38d7fae8676cb5ad11

    SHA256

    ae436609fc888b4a73be4bbeee8c4b18e6bcbe47334e1475102cdbf55d58b39a

    SHA512

    412337d710dbed25d5d416609b716063ba917328f5d6c1aa1b8e7639afbed956343c9997e401ee3f856fc532ced8f597786a431b92b0a08027790e15b1866312

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txt
    Filesize

    7KB

    MD5

    30f906b86ac61c590a069f03e99cd56f

    SHA1

    a9b9868906c6011777450bc96109fe7c963924fc

    SHA256

    aa912f0f7683c43aeb13087a9b3d0e7ed7b589a9e2e1928c91b513883e15ccbe

    SHA512

    18f0658c3b8b1dca52003736e1821650011384644a5cd47b50586a6dd1f10ec83f22a2942eb0693430006aad25208c39aed1cc3c84417cac179d526ae5513916

    Download Submit
  • memory/3968-231-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-236-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-76-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-6-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-2-0x0000000005400000-0x0000000005401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-3-0x0000000005420000-0x0000000005421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-4-0x0000000005410000-0x0000000005411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-228-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-229-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-0-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-5-0x00000000003D1000-0x000000000042C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/3968-233-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-234-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-7-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-238-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-241-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-243-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-248-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-251-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-254-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-257-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-263-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-266-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-1-0x00000000778B4000-0x00000000778B6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3968-269-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-272-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3968-275-0x00000000003D0000-0x00000000008CE000-memory.dmp
    Filesize

    5.0MB

    Download