Overview

overview

10

Static

static

ce04a8f393...db.exe

windows7_x64

10

ce04a8f393...db.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5357827141566464.zip

  • Size

    581KB

  • Sample

    220109-l9rjdsddg5

  • MD5

    f031bf307cb5d7a3da2992d095c794fe

  • SHA1

    d8a4d89002cf0eb0d4db74a646d620aa8e870a2a

  • SHA256

    30f8d722480f208b7521632343cb6f611eafba1bc0a8c82c6f11cca6aefea914

  • SHA512

    f534cf37e951aa3ca75edd304dc35562cabfa4fcc5eea2622ba4865b238dd3c37e774aa3b3d0a25a350f86caf72893203b56edb9b47e008307634b135c185406

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

zyorsx75.top

morvue07.top
Attributes
  • payload_url

    http://yapkbc10.top/download.php?file=luzhou.exe

Targets

    • Target

      ce04a8f39383e80f77502ff18cfd4e0512e609f4cded12676f499bbd3b647ddb

    • Size

      1.9MB

    • MD5

      a35f9d40550c66e04a1ef4ab5444a918

    • SHA1

      1459bafec585d11708b5d71b5823a6989f7dfb38

    • SHA256

      ce04a8f39383e80f77502ff18cfd4e0512e609f4cded12676f499bbd3b647ddb

    • SHA512

      9dcea4984088a4a71d35042b4ad4197037cbd7e63b47be1af704f0cd9a12e2163f81e64dc3c5970f056b8189198c3d46fc58e5cb31eac7f03607c272d5c63421

    Score
    10/10
    cryptbotspywarestealerdiscoveryevasionthemidatrojan

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks