General

  • Target

    02c9ff836b50937d98fbd5d0dd0c67393554af5f43cf7b3f908f7be57230fe75

  • Size

    1.8MB

  • Sample

    220528-c8swdsdhc8

  • MD5

    3ab71f5cbfac7d5c8eeed07ce6e08c82

  • SHA1

    504efc05b11d2daf8ff364ab524614407f08de11

  • SHA256

    02c9ff836b50937d98fbd5d0dd0c67393554af5f43cf7b3f908f7be57230fe75

  • SHA512

    87227fbd97fff57c677fcbf1b5bb836e73c0b4d65162c69f9fcf3e3cab8aeab2f8abbaba2a4df232cdeafc965936b52e9c37ba5ae5f69bc3967d49e4d05ac40f

Malware Config

Extracted

Family

cryptbot

C2

kaaaqttob24.top

morcyjhlr04.top

Attributes
  • payload_url

    http://vrsypcmlg13.top/download.php?file=lv.exe

Targets

    • Target

      02c9ff836b50937d98fbd5d0dd0c67393554af5f43cf7b3f908f7be57230fe75

    • Size

      1.8MB

    • MD5

      3ab71f5cbfac7d5c8eeed07ce6e08c82

    • SHA1

      504efc05b11d2daf8ff364ab524614407f08de11

    • SHA256

      02c9ff836b50937d98fbd5d0dd0c67393554af5f43cf7b3f908f7be57230fe75

    • SHA512

      87227fbd97fff57c677fcbf1b5bb836e73c0b4d65162c69f9fcf3e3cab8aeab2f8abbaba2a4df232cdeafc965936b52e9c37ba5ae5f69bc3967d49e4d05ac40f

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks