cryptbot | a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

2.2MB
MD5

184073024e93d570c71c2e49afc5b26b
SHA1

dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256

cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA512

00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d
SSDEEP

49152:Y5z5srIusYBTvgGA7cdSELs+CK+omuEKIEPh8qhWbrq5pw:wzKsc0B7FEqu8EPhphWbrq5pw

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

vvz01.pro

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Setup.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

3052 Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Setup.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine	Setup.exe

flow	ioc
13	ip-api.com

pid	process
3052	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2136 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup.exe

pid process

3052 Setup.exe
3052 Setup.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Setup.exe

pid process

3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe
3052 Setup.exe

pid	process
2136	timeout.exe

pid	process
3052	Setup.exe
3052	Setup.exe

pid	process
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe
3052	Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Setup.execmd.exe

description	pid	process	target process
PID 3052 wrote to memory of 3804	3052	Setup.exe	cmd.exe
PID 3052 wrote to memory of 3804	3052	Setup.exe	cmd.exe
PID 3052 wrote to memory of 3804	3052	Setup.exe	cmd.exe
PID 3804 wrote to memory of 2136	3804	cmd.exe	timeout.exe
PID 3804 wrote to memory of 2136	3804	cmd.exe	timeout.exe
PID 3804 wrote to memory of 2136	3804	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\xakeUjgPUuj & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xakeUjgPUuj\47283761.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\xakeUjgPUuj\Files\Files\Desktop\WRITEC~1.TXT
Filesize
225KB

MD5
e590629291b07c5614693a492686c2bd

SHA1
868d331174b27c8062b6e4721577b4d3a8ca8a2d

SHA256
e27d4562d21e534440ae86375b1a88da95744f4277196ca4baf6dc49f9c2e779

SHA512
c42070350f07b8aa1f46da2b1b85b5759ad9080443898950959cbc0177345e981b8ffb6a295e2c0d921368b58e67fb20b584a9f52ddfed0708d9052f3a4eaf77

Download Submit
C:\ProgramData\xakeUjgPUuj\Files\_Info.txt
Filesize
8KB

MD5
6ac8a2ca2e99a9694b80bb3b8cdc9a2f

SHA1
c5a6b4e8d813881c2f204149e0c0db052714ef13

SHA256
7774eeded9c5f663cb0db38490d642e430cfc671cd360b04f36b2518f2332f5e

SHA512
27ee6c99fed6b9a5eab5a9dbd4ffaadaaa726a27bebb528ed78c7bd1db3678f74b13cbcc198fc937259349c670612976e55ed7ef375d7395f2e224890d72a4e7

Download Submit
C:\ProgramData\xakeUjgPUuj\Files\_Screen.jpg
Filesize
55KB

MD5
326f6986d6c6e8e740a10c278c1fdf35

SHA1
79a910e5c7ddf8be1ed2ae0f5fdfe4bd99b0ce29

SHA256
5eb53439ff9f4f7ee51dfd8fbc21e02a66b5ac9f2b5dc499e0cbfceb7961db06

SHA512
9ec6dfb9a18945bfc4ea7cc91629025d4da4a235f97259f7aa8d50b9c036944f730cd49e98c4726693cec10ea59a075764a85bf2e3e2cc1cb8ec651de72adebf

Download Submit
C:\ProgramData\xakeUjgPUuj\MOZ_CO~1.DB
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\xakeUjgPUuj\q2RTyKSN.zip
Filesize
276KB

MD5
2016fc84692506fe6026a9650571428e

SHA1
a7ea740db732f78c3d045c500d6d338d19231563

SHA256
887e303cb901aa11d9128d09ec1aa59366ff90ee7dfc9ac96126d06fb22d8bc3

SHA512
84f8cbb777469670c598420cddb195b96d8f6b15581a226a2c3ade53d035b11b5202eee7358e3e96ab1955259c2b73fb8f7718f6153332710919ad19ee2bd109

Download Submit
memory/3052-161-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-168-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-19-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-13-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-4-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/3052-144-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-156-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-158-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-5-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3052-160-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-0-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-163-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-165-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-16-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-171-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-175-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-178-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-180-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-183-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-186-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-189-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-192-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-194-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-198-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-199-0x00000000009B0000-0x0000000000F02000-memory.dmp

Filesize
5.3MB

Download
memory/3052-6-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/3052-8-0x00000000009B1000-0x0000000000A10000-memory.dmp

Filesize
380KB

Download
memory/3052-1-0x0000000077BB4000-0x0000000077BB6000-memory.dmp

Filesize
8KB

Download