General
-
Target
5579485297803264.zip
-
Size
6.7MB
-
Sample
210115-3hj5vvw1ej
-
MD5
8d39ac315e1b224de97e282414967265
-
SHA1
97a44f78b91da3129e108a40e28e1cf6c3c932fe
-
SHA256
5a9e3280eb6db0cfbd5a5fd70a4c58e35e397c29f7cda8306c681151030f4352
-
SHA512
65d3f8acdc1da1941c6a86ab8b3134d52f2b88e9972aa475120cee560a10fba30c740aa81d08866964af04357f6b32be72a45d1cf6b50f224afae3c26f9b5445
Static task
static1
Behavioral task
behavioral1
Sample
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
6e80e005df38336538ccb8d85ab2bc29cfa761243a4715a28c437c501170372d.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
6e80e005df38336538ccb8d85ab2bc29cfa761243a4715a28c437c501170372d.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
c18292ba5f1e7081f1afaf5e62e63823ffc1673ea59a9d62cd4ff1b8ec7e1903.exe
Resource
win7v20201028
Malware Config
Extracted
cryptbot
kirraadd12.top
moraatwoo06.top
-
payload_url
http://frttload08.top/download.php?file=lv.exe
Targets
-
-
Target
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510
-
Size
4.6MB
-
MD5
d75d7dce371da77f30f35288b8ff37f3
-
SHA1
03a63127e19682acb329a4abfffb031311854c00
-
SHA256
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510
-
SHA512
4fe86c0d0d2022f1986c786e882127dda583cfb7be9df7313db9b982bd8aad1f1b8919d0e0c883c1793768e2c7c6f3a9aeb138ace7264c887f69870ce14970fb
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
6e80e005df38336538ccb8d85ab2bc29cfa761243a4715a28c437c501170372d
-
Size
1.1MB
-
MD5
3667fcde90db97a8b6007a06ff7b49da
-
SHA1
d21c5a703d711950b1e052a7a1bf70e2e14fdf19
-
SHA256
6e80e005df38336538ccb8d85ab2bc29cfa761243a4715a28c437c501170372d
-
SHA512
9c6dce629f70fc3eeda4dbd171aef01b53f1b4a087f56c09f67e661a775c0a0c4b84313f65d14ec90dfbbc62e09fd85f158d2e9d1fd43242a11059d6195232ef
-
CryptBot Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
c18292ba5f1e7081f1afaf5e62e63823ffc1673ea59a9d62cd4ff1b8ec7e1903
-
Size
1.3MB
-
MD5
fedc12761c161021b24e55df8634a0d5
-
SHA1
750bcf790aa9d2981d90a3ede63ca7856ae12eeb
-
SHA256
c18292ba5f1e7081f1afaf5e62e63823ffc1673ea59a9d62cd4ff1b8ec7e1903
-
SHA512
838333cfe967e99b8a23499a13123ddedfbbd369b968524cbc7cf442444350b985ceddf2cfa79513923f06f409759ae022d670b71b12611fae331fb40909fc7a
-
CryptBot Payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-