General
-
Target
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe.exe
-
Size
627KB
-
Sample
210325-fm5ds2xa2e
-
MD5
8d61c500dd76f3ed117ddc54f0025d86
-
SHA1
abf5a37bc8963d5e369e18b175f5298829ec745f
-
SHA256
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe
-
SHA512
c521151f2ba2089ab1a9097d69e5bb7553f07e3a218c7f4cc09efcd5dc7b1cf081d41fa16e1d959003e668b32b8865fd5df230a5933351dc7502a94bdbe78657
Malware Config
Extracted
cryptbot
baqsw42.top
morryv04.top
-
payload_url
http://aktyd05.top/download.php?file=lv.exe
Extracted
danabot
1765
3
192.161.48.5:443
142.44.224.16:443
192.3.26.107:443
134.119.186.216:443
-
embedded_hash
A3CC9056F97D33ED99C3617A0B08AA79
Targets
-
-
Target
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe.exe
-
Size
627KB
-
MD5
8d61c500dd76f3ed117ddc54f0025d86
-
SHA1
abf5a37bc8963d5e369e18b175f5298829ec745f
-
SHA256
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe
-
SHA512
c521151f2ba2089ab1a9097d69e5bb7553f07e3a218c7f4cc09efcd5dc7b1cf081d41fa16e1d959003e668b32b8865fd5df230a5933351dc7502a94bdbe78657
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
CryptBot Payload
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-