Analysis

  • max time kernel
    8s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15/05/2021, 10:32

General

  • Target

    ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe

  • Size

    708KB

  • MD5

    7de2d80e181ee60311d729f2b1fafc57

  • SHA1

    6579dab44c6619b6af86b57fcd160f9a1ffe7b54

  • SHA256

    ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786

  • SHA512

    48776b1226081f6892da57fae1437deaed37bc758f677693a258416a27bdf7690deaa3033cc66697fa88941d02673695751de97b23c63b04eee3f9c139f4e366

Malware Config

Extracted

Family

cryptbot

C2

remmzp62.top

mortlk06.top

Attributes
  • payload_url

    http://sullok09.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot Payload 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe
    "C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"
    1⤵
    • Checks processor information in registry
    PID:1028

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1028-60-0x0000000075801000-0x0000000075803000-memory.dmp

          Filesize

          8KB

        • memory/1028-61-0x00000000004F0000-0x00000000005D1000-memory.dmp

          Filesize

          900KB

        • memory/1028-62-0x0000000000400000-0x00000000004E5000-memory.dmp

          Filesize

          916KB