General
-
Target
fb660cd8294a2f697bc610d746833d91.exe
-
Size
760KB
-
Sample
210726-9fqwywaw6a
-
MD5
fb660cd8294a2f697bc610d746833d91
-
SHA1
e9cfc83ec806592a49bd094e2bbc07c937e0c9e2
-
SHA256
28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d
-
SHA512
10da1e75c4aeb3df811dd22a2da4528227f8d7350bfa5992ef6cc4f3f8822e2c7ffdf897040635c1476f95b0112f13376be7cb849a8dea81455db73056329c92
Static task
static1
Behavioral task
behavioral1
Sample
fb660cd8294a2f697bc610d746833d91.exe
Resource
win7v20210408
Malware Config
Extracted
cryptbot
ewaisg12.top
morvay01.top
-
payload_url
http://winezo01.top/download.php?file=lv.exe
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Targets
-
-
Target
fb660cd8294a2f697bc610d746833d91.exe
-
Size
760KB
-
MD5
fb660cd8294a2f697bc610d746833d91
-
SHA1
e9cfc83ec806592a49bd094e2bbc07c937e0c9e2
-
SHA256
28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d
-
SHA512
10da1e75c4aeb3df811dd22a2da4528227f8d7350bfa5992ef6cc4f3f8822e2c7ffdf897040635c1476f95b0112f13376be7cb849a8dea81455db73056329c92
-
CryptBot Payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-