General

  • Target

    8b2242c04e274c84a8dc25bcab75158f.exe

  • Size

    2.6MB

  • Sample

    211229-jr5xysdbgn

  • MD5

    8b2242c04e274c84a8dc25bcab75158f

  • SHA1

    33d4c61dca4ab2392f23b18ac3188491db586f0f

  • SHA256

    2dfc078c3658a63016fd846cc735c0d5c359b6639cb89ae08ccc9a19fb3e5df3

  • SHA512

    f26bb2f323140ce71dcbc174b298cca7f9803be20322d64b9ccaf254763ae93ca53a7382942c42dc4ca7b7454dc8147a9df8c91962c9200e9d83835a0f5430ab

Malware Config

Extracted

Family

cryptbot

C2

hevzbn22.top

morwce02.top

Attributes
  • payload_url

    http://kyvgns02.top/download.php?file=finjan.exe

Targets

    • Target

      8b2242c04e274c84a8dc25bcab75158f.exe

    • Size

      2.6MB

    • MD5

      8b2242c04e274c84a8dc25bcab75158f

    • SHA1

      33d4c61dca4ab2392f23b18ac3188491db586f0f

    • SHA256

      2dfc078c3658a63016fd846cc735c0d5c359b6639cb89ae08ccc9a19fb3e5df3

    • SHA512

      f26bb2f323140ce71dcbc174b298cca7f9803be20322d64b9ccaf254763ae93ca53a7382942c42dc4ca7b7454dc8147a9df8c91962c9200e9d83835a0f5430ab

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks