General
-
Target
f57c8f87acaa5e22b44796b681d54e55.exe
-
Size
595KB
-
Sample
210211-zewjhnbnba
-
MD5
f57c8f87acaa5e22b44796b681d54e55
-
SHA1
9b428283210c673edc41ae38ad36f5ffae59c1fd
-
SHA256
38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6
-
SHA512
27d9b453a00d7171dbd64e675cdcb4ccaab5474702bfa39f59532c6d1fcd1922dcae1c31598a6052fa66cac256097725f941f4f534e3e03499bea8448158958f
Static task
static1
Behavioral task
behavioral1
Sample
f57c8f87acaa5e22b44796b681d54e55.exe
Resource
win7v20201028
Malware Config
Extracted
cryptbot
breasuals42.top
morteisatr04.top
-
payload_url
http://cotrarest05.top/download.php?file=lv.exe
Extracted
danabot
1765
3
192.236.192.241:443
134.119.186.199:443
172.93.201.39:443
104.168.156.222:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
Targets
-
-
Target
f57c8f87acaa5e22b44796b681d54e55.exe
-
Size
595KB
-
MD5
f57c8f87acaa5e22b44796b681d54e55
-
SHA1
9b428283210c673edc41ae38ad36f5ffae59c1fd
-
SHA256
38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6
-
SHA512
27d9b453a00d7171dbd64e675cdcb4ccaab5474702bfa39f59532c6d1fcd1922dcae1c31598a6052fa66cac256097725f941f4f534e3e03499bea8448158958f
-
CryptBot Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-