General
-
Target
58e5562209d50978efd614dd040ef4ca.exe
-
Size
764KB
-
Sample
210620-tycm9g2g22
-
MD5
58e5562209d50978efd614dd040ef4ca
-
SHA1
d225a1f15ac4f8b96be737b3905f050fc2dc3a31
-
SHA256
530656ad87a4e5c0f07998323ebca34348af7c7a2e585196f2d0c73580832e36
-
SHA512
4ecc904931853d5f9611e376cac01f018734e6fefee78b005b2f342f1f0750d31859831fdbc99bdbce0e5578c29a90f655dabd14beb4d747879c3a2529491c6f
Static task
static1
Behavioral task
behavioral1
Sample
58e5562209d50978efd614dd040ef4ca.exe
Resource
win7v20210408
Malware Config
Extracted
cryptbot
kiykae72.top
morgon07.top
-
payload_url
http://peomyn10.top/download.php?file=lv.exe
Targets
-
-
Target
58e5562209d50978efd614dd040ef4ca.exe
-
Size
764KB
-
MD5
58e5562209d50978efd614dd040ef4ca
-
SHA1
d225a1f15ac4f8b96be737b3905f050fc2dc3a31
-
SHA256
530656ad87a4e5c0f07998323ebca34348af7c7a2e585196f2d0c73580832e36
-
SHA512
4ecc904931853d5f9611e376cac01f018734e6fefee78b005b2f342f1f0750d31859831fdbc99bdbce0e5578c29a90f655dabd14beb4d747879c3a2529491c6f
-
CryptBot Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-