General
-
Target
c3c559e832052bbf33f52f6f8b0ff086.exe
-
Size
701KB
-
Sample
210725-t9g9geanaa
-
MD5
c3c559e832052bbf33f52f6f8b0ff086
-
SHA1
23477b75572d17b1d47b9670862aa174fb55d166
-
SHA256
838edfe6cbf7b8fb1f0d3d99535f15ef22b651fa82a9f31a50c3cae435a0af0c
-
SHA512
2a1e3e9676b103d23947b2271059f59f0bd71559071805f8650c6a27168016cff791ec3c7f2102740b1e1b9a6c5f34775a9a58d2ae3215f9bf386827d9da4583
Static task
static1
Behavioral task
behavioral1
Sample
c3c559e832052bbf33f52f6f8b0ff086.exe
Resource
win7v20210408
Malware Config
Extracted
cryptbot
smauvo62.top
mortuh06.top
-
payload_url
http://gurswi09.top/download.php?file=lv.exe
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Targets
-
-
Target
c3c559e832052bbf33f52f6f8b0ff086.exe
-
Size
701KB
-
MD5
c3c559e832052bbf33f52f6f8b0ff086
-
SHA1
23477b75572d17b1d47b9670862aa174fb55d166
-
SHA256
838edfe6cbf7b8fb1f0d3d99535f15ef22b651fa82a9f31a50c3cae435a0af0c
-
SHA512
2a1e3e9676b103d23947b2271059f59f0bd71559071805f8650c6a27168016cff791ec3c7f2102740b1e1b9a6c5f34775a9a58d2ae3215f9bf386827d9da4583
-
CryptBot Payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-