Overview

overview

10

Static

static

32_64_ver_2_bit.exe

windows7_x64

8

32_64_ver_2_bit.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    32_64_ver_2_bit.exe

  • Size

    1.7MB

  • Sample

    210226-jfstwbym1a

  • MD5

    35ebd08cb45b5639b14457d135b4f8b7

  • SHA1

    e5032a7606a30ba3a9f5e96e8bf40620a56ca93d

  • SHA256

    814333494d8a2ccf5fc6c4908d875e5db6fd91d9f4cb45109cd4fc6c440a2c06

  • SHA512

    b867b86467af4682cea753848c25c3aab4749718f1ef43b4876a94d1524e5d7192412a03820c8d1b3c37aa1e4d7672d9635221012feab55ad2cd5834965a3e4a

Score
10/10
cryptbotxmrigdiscoveryevasionminerspywarestealerupx

Malware Config

Targets

    • Target

      32_64_ver_2_bit.exe

    • Size

      1.7MB

    • MD5

      35ebd08cb45b5639b14457d135b4f8b7

    • SHA1

      e5032a7606a30ba3a9f5e96e8bf40620a56ca93d

    • SHA256

      814333494d8a2ccf5fc6c4908d875e5db6fd91d9f4cb45109cd4fc6c440a2c06

    • SHA512

      b867b86467af4682cea753848c25c3aab4749718f1ef43b4876a94d1524e5d7192412a03820c8d1b3c37aa1e4d7672d9635221012feab55ad2cd5834965a3e4a

    Score
    10/10
    cryptbotxmrigdiscoveryevasionminerspywarestealerupx

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner Payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Hidden Files and Directories

2
T1158

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Hidden Files and Directories

2
T1158

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks