General

  • Target

    0c8a7cdaf418d151327672eef2ed0a68c42c220fd5d09666c89b103586fcff4a

  • Size

    16.9MB

  • Sample

    220213-kan4jshgdm

  • MD5

    c982e05a28b471f350fd0b5e5879261f

  • SHA1

    f3eb69f57571c5a51b1e943f4423650f6f76af17

  • SHA256

    0c8a7cdaf418d151327672eef2ed0a68c42c220fd5d09666c89b103586fcff4a

  • SHA512

    83b5f01033b2fabb3aff1d0692b9306e38e4ade28ebfd913a872f15b0da5abe24aae08430cee69762e1aac80be3ed9f8f9be9be319716522bf123def5f70f985

Malware Config

Targets

    • Target

      0c8a7cdaf418d151327672eef2ed0a68c42c220fd5d09666c89b103586fcff4a

    • Size

      16.9MB

    • MD5

      c982e05a28b471f350fd0b5e5879261f

    • SHA1

      f3eb69f57571c5a51b1e943f4423650f6f76af17

    • SHA256

      0c8a7cdaf418d151327672eef2ed0a68c42c220fd5d09666c89b103586fcff4a

    • SHA512

      83b5f01033b2fabb3aff1d0692b9306e38e4ade28ebfd913a872f15b0da5abe24aae08430cee69762e1aac80be3ed9f8f9be9be319716522bf123def5f70f985

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks