General
-
Target
SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088
-
Size
8.9MB
-
Sample
201109-c5722c1kma
-
MD5
a76688ac6e0e987395dbf946556b5354
-
SHA1
b43bcf90a79164d553bb2b5cb0b4dfe9032074fa
-
SHA256
68e0c8bcb14bc94813d8c6494966d1f32b60ccca1fb9d80996707abeee3d2db5
-
SHA512
1eba98221d365c7e47a1f016874da214e9944fe4eb6b5d989039ba2dd7f6e7da56df21226a48dd9666e31bb912cdcd6645f5b35746e56ed3d37a0b518468b068
Malware Config
Targets
-
-
Target
SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088
-
Size
8.9MB
-
MD5
a76688ac6e0e987395dbf946556b5354
-
SHA1
b43bcf90a79164d553bb2b5cb0b4dfe9032074fa
-
SHA256
68e0c8bcb14bc94813d8c6494966d1f32b60ccca1fb9d80996707abeee3d2db5
-
SHA512
1eba98221d365c7e47a1f016874da214e9944fe4eb6b5d989039ba2dd7f6e7da56df21226a48dd9666e31bb912cdcd6645f5b35746e56ed3d37a0b518468b068
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-