General

  • Target

    3c13e7edba8b425bfa2410cb1d676b553ecc347a41086cb1ed2343a1df5b6478

  • Size

    2.7MB

  • Sample

    210508-lcbvbsyg4a

  • MD5

    6c82a7a0644f3caec2db35a2687357cc

  • SHA1

    d4092dd0fdcefeeb9b62abfafd8367bcbe646ece

  • SHA256

    3c13e7edba8b425bfa2410cb1d676b553ecc347a41086cb1ed2343a1df5b6478

  • SHA512

    e0fc31a17becb55414e1cd8cd05471807c36928ffb5660e390a226ce42f67b4ff275564306c69367a32f22b592f55c6ce7ce94062e7afce3c3faf6319973c728

Malware Config

Targets

    • Target

      3c13e7edba8b425bfa2410cb1d676b553ecc347a41086cb1ed2343a1df5b6478

    • Size

      2.7MB

    • MD5

      6c82a7a0644f3caec2db35a2687357cc

    • SHA1

      d4092dd0fdcefeeb9b62abfafd8367bcbe646ece

    • SHA256

      3c13e7edba8b425bfa2410cb1d676b553ecc347a41086cb1ed2343a1df5b6478

    • SHA512

      e0fc31a17becb55414e1cd8cd05471807c36928ffb5660e390a226ce42f67b4ff275564306c69367a32f22b592f55c6ce7ce94062e7afce3c3faf6319973c728

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks