General

  • Target

    af12a5b1fb40fb31e4f8979b0a4cb42c.exe

  • Size

    758KB

  • Sample

    210727-aqhq4h59ya

  • MD5

    af12a5b1fb40fb31e4f8979b0a4cb42c

  • SHA1

    a1ff752ec748ca0dae13b861b8bbc3da61fc7c8c

  • SHA256

    a4c1611cb53460b6e745cc05101f83a834d66d78462fff9b190cff9727784700

  • SHA512

    a2107fd5547b7040ee2e584c83fc24ec6dba39d87934f18caf1161a5cfda817296758b6145452800f0ecbb23831e9b8a29f9328f22dda8eecb2f1b958880a6d1

Malware Config

Extracted

Family

cryptbot

C2

ewaisg12.top

morvay01.top

Attributes
  • payload_url

    http://winezo01.top/download.php?file=lv.exe

Targets

    • Target

      af12a5b1fb40fb31e4f8979b0a4cb42c.exe

    • Size

      758KB

    • MD5

      af12a5b1fb40fb31e4f8979b0a4cb42c

    • SHA1

      a1ff752ec748ca0dae13b861b8bbc3da61fc7c8c

    • SHA256

      a4c1611cb53460b6e745cc05101f83a834d66d78462fff9b190cff9727784700

    • SHA512

      a2107fd5547b7040ee2e584c83fc24ec6dba39d87934f18caf1161a5cfda817296758b6145452800f0ecbb23831e9b8a29f9328f22dda8eecb2f1b958880a6d1

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot Payload

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks