Loading ...

Play interactive tourEdit tour

Windows Analysis Report file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:501609
MD5:6738381ddd3d2952312af2a0f2be5157
SHA1:40fa53df583e9b598bb2d7be716958b1f5bad0dc
SHA256:84f4e2b346b6f5473e2c564a6f60985c5d20f621e70a982e9aafd21354ccc66f
Infos:

Most interesting Screenshot:

Detection

Cryptbot Glupteba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Cryptbot
Detected unpacking (overwrites its own PE header)
Yara detected Glupteba
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
PE file contains strange resources
Contains functionality to read the PEB
Contains functionality to download and launch executables
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5940 cmdline: 'C:\Users\user\Desktop\file.exe' MD5: 6738381DDD3D2952312AF2A0F2BE5157)
  • cleanup

Malware Configuration

Threatname: Cryptbot

{"Download URL": "http://bojwfi01.top/download.php?file=lv.exe", "C2 list": ["moresh01.top/index.php", "cemnit12.top/index.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmpJoeSecurity_CryptbotYara detected CryptbotJoe Security
    00000000.00000002.929802806.0000000001840000.00000040.00000001.sdmpJoeSecurity_CryptbotYara detected CryptbotJoe Security
      00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmpJoeSecurity_CryptbotYara detected CryptbotJoe Security
        Process Memory Space: file.exe PID: 5940JoeSecurity_Glupteba_1Yara detected GluptebaJoe Security
          Process Memory Space: file.exe PID: 5940JoeSecurity_CryptbotYara detected CryptbotJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.400000.0.unpackJoeSecurity_CryptbotYara detected CryptbotJoe Security
              0.2.file.exe.400000.0.raw.unpackJoeSecurity_CryptbotYara detected CryptbotJoe Security
                0.2.file.exe.1840e50.1.unpackJoeSecurity_CryptbotYara detected CryptbotJoe Security
                  0.3.file.exe.3360000.0.unpackJoeSecurity_CryptbotYara detected CryptbotJoe Security
                    0.2.file.exe.1840e50.1.raw.unpackJoeSecurity_CryptbotYara detected CryptbotJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.file.exe.1840e50.1.raw.unpackMalware Configuration Extractor: Cryptbot {"Download URL": "http://bojwfi01.top/download.php?file=lv.exe", "C2 list": ["moresh01.top/index.php", "cemnit12.top/index.php"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: file.exeReversingLabs: Detection: 60%
                      Antivirus detection for URL or domainShow sources
                      Source: http://bojwfi01.top/download.php?file=lv.exeAvira URL Cloud: Label: malware
                      Source: moresh01.top/index.phpAvira URL Cloud: Label: malware
                      Machine Learning detection for sampleShow sources
                      Source: file.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401220 GetFileAttributesW,CreateFileW,GetFileSizeEx,CloseHandle,CreateFileMappingW,MapViewOfFile,CloseHandle,CloseHandle,CryptUnprotectData,LocalFree,UnmapViewOfFile,CloseHandle,FindCloseChangeNotification,CloseHandle,0_2_00401220

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                      Source: file.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Binary string: C:\pubezepimog\teyakucarurab_vijuwatizuxi_33.pdb0E source: file.exe
                      Source: Binary string: C:\pubezepimog\teyakucarurab_vijuwatizuxi_33.pdb source: file.exe
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402680 Sleep,FindFirstFileW,FindNextFileW,FindClose,0_2_00402680
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042ABC1 FindFirstFileExW,0_2_0042ABC1
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnMJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_FilesJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: moresh01.top/index.php
                      Source: Malware configuration extractorURLs: cemnit12.top/index.php
                      Source: unknownDNS traffic detected: query: cemnit12.top replaycode: Server failure (2)
                      Source: file.exe, file.exe, 00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmpString found in binary or memory: http://bojwfi01.top/download.php?file=lv.exe
                      Source: file.exe, 00000000.00000002.930560853.0000000003F08000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/in-k
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.php
                      Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.php#
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.php#An
                      Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.php&
                      Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.php0
                      Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.php7
                      Source: file.exe, 00000000.00000002.929909251.00000000019FC000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.php?J
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpB
                      Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpF
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpFB
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpMB
                      Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpP
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpPB
                      Source: file.exe, 00000000.00000002.930535454.0000000003ED8000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpQ
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpWB
                      Source: file.exe, 00000000.00000002.930014729.0000000001A7C000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpX
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpZB
                      Source: file.exe, 00000000.00000002.930014729.0000000001A7C000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpb
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpe
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpeB
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phphB
                      Source: file.exe, 00000000.00000002.929909251.00000000019FC000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpl
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpoB
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phprB
                      Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmpString found in binary or memory: http://cemnit12.top/index.phpyB
                      Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownDNS traffic detected: queries for: cemnit12.top
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DB70 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,0_2_0040DB70
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AD20 RegQueryValueExW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,GdiplusShutdown,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,CopyFileW,0_2_0040AD20
                      Source: file.exe, 00000000.00000002.929870758.00000000019C8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: file.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004140000_2_00414000
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B72F0_2_0041B72F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004138F00_2_004138F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043030F0_2_0043030F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004223F00_2_004223F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004204290_2_00420429
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043042F0_2_0043042F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B4FD0_2_0041B4FD
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004135800_2_00413580
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004327BD0_2_004327BD
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004338000_2_00433800
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B9940_2_0041B994
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411A100_2_00411A10
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042DAF10_2_0042DAF1
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410E500_2_00410E50
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044EA800_2_0044EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040F2F0 appears 57 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00416C70 appears 50 times
                      Source: file.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: file.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: file.exeReversingLabs: Detection: 60%
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\andianJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\htRscvJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/13@73/0
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \_Files0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \_Files\_Files0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \_Files\_Wallet0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \_Files\_Chrome0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \_Files\_Opera0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \_Files\_Brave0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \files_0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \files_\files0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \files_\_Chrome0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \files_\_Opera0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: \files_\_Brave0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: %Temp%\0_2_00415BF0
                      Source: C:\Users\user\Desktop\file.exeCommand line argument: >.C0_2_00432D90
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\pubezepimog\teyakucarurab_vijuwatizuxi_33.pdb0E source: file.exe
                      Source: Binary string: C:\pubezepimog\teyakucarurab_vijuwatizuxi_33.pdb source: file.exe

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043668D push esi; ret 0_2_00436696
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408A6A push 48680000h; ret 0_2_00408A77
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416CB6 push ecx; ret 0_2_00416CC9
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_019DB1DD pushad ; iretd 0_2_019DB1DE
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.34053606656
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DB70 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,0_2_0040DB70
                      Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\file.exeRegistry key enumerated: More than 174 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A6E3 GetFileAttributesW,GetFileAttributesW,GetSystemInfo,KiUserCallbackDispatcher,GlobalMemoryStatusEx,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,0_2_0040A6E3
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402680 Sleep,FindFirstFileW,FindNextFileW,FindClose,0_2_00402680
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042ABC1 FindFirstFileExW,0_2_0042ABC1
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnMJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_FilesJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                      Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbn;G
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D1DD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041D1DD
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C070 GetProcessHeap,0_2_0042C070
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004230B1 mov eax, dword ptr fs:[00000030h]0_2_004230B1
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042A824 mov eax, dword ptr fs:[00000030h]0_2_0042A824
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D1DD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041D1DD
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416A61 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416A61
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416BF7 SetUnhandledExceptionFilter,0_2_00416BF7
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416E3D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00416E3D
                      Source: file.exe, 00000000.00000002.930113974.0000000001F50000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: file.exe, 00000000.00000002.930113974.0000000001F50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: file.exe, 00000000.00000002.930113974.0000000001F50000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: file.exe, 00000000.00000002.930113974.0000000001F50000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_cookies.db VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_key.bin VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_logins.db VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_webdata.db VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Information.txt VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Screen_Desktop.jpeg VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,0_2_0040DB70
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416891 cpuid 0_2_00416891
                      Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413A40 SetFilePointer,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00413A40
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00429D74 _free,_free,_free,GetTimeZoneInformation,_free,0_2_00429D74
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AA30 GetFileAttributesW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegOpenKeyExW,RegCloseKey,GetUserNameW,ExpandEnvironmentStringsW,CreateDirectoryW,Sleep,0_2_0040AA30

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected CryptbotShow sources
                      Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.1840e50.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.file.exe.3360000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.1840e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.file.exe.3360000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.929802806.0000000001840000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR
                      Yara detected GluptebaShow sources
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                      Source: file.exeString found in binary or memory: %AppData%\Electrum-btcp\wallets
                      Source: file.exeString found in binary or memory: %AppData%\ElectronCash\wallets
                      Source: file.exeString found in binary or memory: %AppData%\Jaxx\Local Storage
                      Source: file.exeString found in binary or memory: %AppData%\Exodus\backup
                      Source: file.exeString found in binary or memory: %AppData%\Exodus\backup
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbhJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior

                      Remote Access Functionality:

                      barindex
                      Yara detected CryptbotShow sources
                      Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.1840e50.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.file.exe.3360000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.1840e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.file.exe.3360000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.929802806.0000000001840000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR
                      Yara detected GluptebaShow sources
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection1Deobfuscate/Decode Files or Information1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information3Input Capture1Account Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing21Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSystem Information Discovery53Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection1Cached Domain CredentialsSecurity Software Discovery31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncVirtualization/Sandbox Evasion1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemProcess Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.