General

  • Target

    b4a3a36942d093c4280ae0f62bedbbb7e0c98e096c5c2deaff57351f3a21e066

  • Size

    421KB

  • Sample

    220215-hp8emadddm

  • MD5

    7befa62d431b99879d357f4173bdfaa2

  • SHA1

    87c3d6661ad988a7ec07ecd7ef16292ce2efb54f

  • SHA256

    b4a3a36942d093c4280ae0f62bedbbb7e0c98e096c5c2deaff57351f3a21e066

  • SHA512

    21a35c4dacddd393618eb109e1ddf7d19835725c64226929d5d0dd537b68549cc92aaa15ae61450a30bc3da0998cc1f4266fe7396c582766206f45598aef7a31

Malware Config

Extracted

Family

cryptbot

C2

cipexl72.top

morahe07.top

Attributes
  • payload_url

    http://sahdyr18.top/download.php?file=bather.exe

Targets

    • Target

      b4a3a36942d093c4280ae0f62bedbbb7e0c98e096c5c2deaff57351f3a21e066

    • Size

      421KB

    • MD5

      7befa62d431b99879d357f4173bdfaa2

    • SHA1

      87c3d6661ad988a7ec07ecd7ef16292ce2efb54f

    • SHA256

      b4a3a36942d093c4280ae0f62bedbbb7e0c98e096c5c2deaff57351f3a21e066

    • SHA512

      21a35c4dacddd393618eb109e1ddf7d19835725c64226929d5d0dd537b68549cc92aaa15ae61450a30bc3da0998cc1f4266fe7396c582766206f45598aef7a31

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

MITRE ATT&CK Enterprise v6

Tasks