General
-
Target
08e9f16a456c604e7cba97d5715fcc119d236e621a4daa05bf2095ebd86db0b3
-
Size
2.8MB
-
Sample
220215-s9blhagfc3
-
MD5
112ec56110d36baba5b9e1ae46e171aa
-
SHA1
50bfa9adfb24d913fc5607ac762e8a9907b1fe68
-
SHA256
08e9f16a456c604e7cba97d5715fcc119d236e621a4daa05bf2095ebd86db0b3
-
SHA512
c8d19fb284f33e6859679c31bad90828be37ea9a83577efa63033fc781a11e2a5bf3d76f07bf6192c014795f968997dad0d68aac13f88403a7cfc21a0abb3abd
Malware Config
Extracted
cryptbot
nob3m.top
nob3e.top
Targets
-
-
Target
08e9f16a456c604e7cba97d5715fcc119d236e621a4daa05bf2095ebd86db0b3
-
Size
2.8MB
-
MD5
112ec56110d36baba5b9e1ae46e171aa
-
SHA1
50bfa9adfb24d913fc5607ac762e8a9907b1fe68
-
SHA256
08e9f16a456c604e7cba97d5715fcc119d236e621a4daa05bf2095ebd86db0b3
-
SHA512
c8d19fb284f33e6859679c31bad90828be37ea9a83577efa63033fc781a11e2a5bf3d76f07bf6192c014795f968997dad0d68aac13f88403a7cfc21a0abb3abd
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-