General
-
Target
ce0ed3120b712e7c079e2ce922c9569d53029280c404e913327c52531abc266a
-
Size
379KB
-
Sample
211206-v32kfshfc4
-
MD5
bb68e474b7835533c462e24ef1f7f460
-
SHA1
4ba2fa722e203cdb3b6baa49a1d46355e300f920
-
SHA256
ce0ed3120b712e7c079e2ce922c9569d53029280c404e913327c52531abc266a
-
SHA512
088fef4a988ebd9b5161d22cc8856d677e890a5e7cbaddd5d8471491833e4fbc0a48cbf2335670dc136d7cca44aeda6e6e3fda7d3e3fc0472ac604609f9fa595
Malware Config
Extracted
cryptbot
gomoxw12.top
morxub01.top
-
payload_url
http://peumgu12.top/download.php?file=melder.exe
Targets
-
-
Target
ce0ed3120b712e7c079e2ce922c9569d53029280c404e913327c52531abc266a
-
Size
379KB
-
MD5
bb68e474b7835533c462e24ef1f7f460
-
SHA1
4ba2fa722e203cdb3b6baa49a1d46355e300f920
-
SHA256
ce0ed3120b712e7c079e2ce922c9569d53029280c404e913327c52531abc266a
-
SHA512
088fef4a988ebd9b5161d22cc8856d677e890a5e7cbaddd5d8471491833e4fbc0a48cbf2335670dc136d7cca44aeda6e6e3fda7d3e3fc0472ac604609f9fa595
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-