Overview

overview

10

Static

static

8

d6ecaf0c5f...09.exe

windows7_x64

10

d6ecaf0c5f...09.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109

  • Size

    2.3MB

  • Sample

    220521-mjy18afadj

  • MD5

    968e9faa49c57145eb9aa1d88147980a

  • SHA1

    6f5824fac218092bdd0d2215b9e59615fdb4ddc3

  • SHA256

    d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109

  • SHA512

    9330d072ce4689299a38fc3897a78b6d23abb4463c6bc771e2a45a23812c44dab3e344d121bc4833d5545579e5371f56fb939898197296adf3d4a4e8e589d6d6

Score
10/10
cryptbotdiscoveryspywarestealersuricatavmprotect

Malware Config

Extracted

Family

cryptbot

C2

vetiir04.top

moriiikk02.top

Targets

    • Target

      d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109

    • Size

      2.3MB

    • MD5

      968e9faa49c57145eb9aa1d88147980a

    • SHA1

      6f5824fac218092bdd0d2215b9e59615fdb4ddc3

    • SHA256

      d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109

    • SHA512

      9330d072ce4689299a38fc3897a78b6d23abb4463c6bc771e2a45a23812c44dab3e344d121bc4833d5545579e5371f56fb939898197296adf3d4a4e8e589d6d6

    Score
    10/10
    cryptbotdiscoveryspywarestealersuricatavmprotect

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot Payload

    • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks