General
-
Target
15e5952202554ed8763ed95daae3c8ee.exe
-
Size
777KB
-
Sample
210612-s5ezyebsce
-
MD5
15e5952202554ed8763ed95daae3c8ee
-
SHA1
fb20fa228cdb807f243a44563deae85ecd99360b
-
SHA256
a3dc572a998763e1e8c80ce608fdd06faebe9139648bc3c2f65e58ea6a4c483e
-
SHA512
e650a303092caaed9607f2583ee48d0a82dbee11ae220c1b86994ba2cc04dcb43f398d78247fcd174875226480dabab8fcbc5d497c06998654f95b7b62a8a075
Static task
static1
Behavioral task
behavioral1
Sample
15e5952202554ed8763ed95daae3c8ee.exe
Resource
win7v20210408
Malware Config
Extracted
cryptbot
olmsgv52.top
morika05.top
-
payload_url
http://vamhgx07.top/download.php?file=lv.exe
Extracted
danabot
1827
3
192.210.198.12:443
37.220.31.50:443
184.95.51.183:443
184.95.51.175:443
-
embedded_hash
410EB249B3A3D8613B29638D583F7193
Targets
-
-
Target
15e5952202554ed8763ed95daae3c8ee.exe
-
Size
777KB
-
MD5
15e5952202554ed8763ed95daae3c8ee
-
SHA1
fb20fa228cdb807f243a44563deae85ecd99360b
-
SHA256
a3dc572a998763e1e8c80ce608fdd06faebe9139648bc3c2f65e58ea6a4c483e
-
SHA512
e650a303092caaed9607f2583ee48d0a82dbee11ae220c1b86994ba2cc04dcb43f398d78247fcd174875226480dabab8fcbc5d497c06998654f95b7b62a8a075
-
CryptBot Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-