General
-
Target
6490136719425536.zip
-
Size
26.4MB
-
Sample
210115-etdwb4wkpe
-
MD5
ec5f4896ebbf4f99479a7cf67702a7fe
-
SHA1
02370898972b286ba636a3b9a5e81eb8a0c2f332
-
SHA256
99932e6dbe1103e83b0468d11bda2808d22d5522f91b78ca6a3c06a5a85b3210
-
SHA512
d083822f13472743850924015481532c26dd1c1446f5161d10dd9594f14da75ab7f529607ca56e230f36b552d095d3a974b855475cec3f466894271f7c49789e
Malware Config
Targets
-
-
Target
144755cf70a3ef6c0212c49645891c53ce926ad7e3e626016023d6aecc484372
-
Size
9.0MB
-
MD5
803d222204c0cd0414b87ec11fa0b012
-
SHA1
96023416083824f1b4c83161e9c4d6a5197631d6
-
SHA256
144755cf70a3ef6c0212c49645891c53ce926ad7e3e626016023d6aecc484372
-
SHA512
f099459e45b115a05a2df128d31a991210279b9a6cb9a4a40b57ecdd4b35442064f4c1390a9ce2c0f6f16b71ce74264ff948c8467b72262dcc21be8e69aea716
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-