General

  • Target

    067737a46b528dc22156ee3d7ca42fc2e7aa14bd64654fb6095707ed81ab7f19

  • Size

    17.4MB

  • Sample

    220213-kbaybahgej

  • MD5

    d535f841b8869ce8b5d6b951c19c716e

  • SHA1

    65acd0863d65efcd81719bbdc99d1058cac3036f

  • SHA256

    067737a46b528dc22156ee3d7ca42fc2e7aa14bd64654fb6095707ed81ab7f19

  • SHA512

    5cb3d56f6f594727a01391dd3c1647f5aab1b366c2d2efe477bbbf194b158451968b74427ad7668cdaf501fea34c4bdf61fe46f20049feef5a9f6945d0e850f0

Malware Config

Targets

    • Target

      067737a46b528dc22156ee3d7ca42fc2e7aa14bd64654fb6095707ed81ab7f19

    • Size

      17.4MB

    • MD5

      d535f841b8869ce8b5d6b951c19c716e

    • SHA1

      65acd0863d65efcd81719bbdc99d1058cac3036f

    • SHA256

      067737a46b528dc22156ee3d7ca42fc2e7aa14bd64654fb6095707ed81ab7f19

    • SHA512

      5cb3d56f6f594727a01391dd3c1647f5aab1b366c2d2efe477bbbf194b158451968b74427ad7668cdaf501fea34c4bdf61fe46f20049feef5a9f6945d0e850f0

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks