Description
A C++ stealer distributed widely in bundle with other software.
71af238fbf3c5a3a2c2c3594f1ba8a32
General
Target
Size
Sample
71af238fbf3c5a3a2c2c3594f1ba8a32
2MB
220116-k1l2waffer
Score
10 /10
MD5
SHA1
SHA256
SHA512
71af238fbf3c5a3a2c2c3594f1ba8a32
b9f49782704b14572985ca13b10842d3aa836ad0
3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8
fb12811297a22a71ead742dcde54357cf712c04ad690ed6103287f903592999fcde804357488e062fb8783a24394cc0ff23fa1ffbb9d15941e38873a75f59d7f
Malware Config
Extracted
| Family | cryptbot |
| C2 |
kotehj62.top |
| Attributes |
payload_url http://okadoc09.top/download.php?file=makeyr.exe |
Targets
Target
MD5
Filesize
71af238fbf3c5a3a2c2c3594f1ba8a32
71af238fbf3c5a3a2c2c3594f1ba8a32
2MB
Score
10/10
SHA1
SHA256
SHA512
b9f49782704b14572985ca13b10842d3aa836ad0
3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8
fb12811297a22a71ead742dcde54357cf712c04ad690ed6103287f903592999fcde804357488e062fb8783a24394cc0ff23fa1ffbb9d15941e38873a75f59d7f
Tags
Signatures
-
CryptBot
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Deletes itself
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Checks whether UAC is enabled
Tags
TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks