General

  • Target

    1baf798133a0e0a049012bf4d08b4e5179ce0179d69b7849f29081aa2da09b17

  • Size

    4.2MB

  • Sample

    220607-whqg5abceq

  • MD5

    793ca28db749e884e8cdbae9947563ea

  • SHA1

    1bbc709062ee014f4f3a3bc2f9e21cce1f01a1ed

  • SHA256

    1baf798133a0e0a049012bf4d08b4e5179ce0179d69b7849f29081aa2da09b17

  • SHA512

    fe8da0f6f577ace0ed1a4c5612a7c7ea663d8c56d3626746f6149f9e5cc8d9c5d3880444a81b345d4cb26c7774a3341d30ecd8d8705d5b1996d2aa2a2c228604

Malware Config

Targets

    • Target

      1baf798133a0e0a049012bf4d08b4e5179ce0179d69b7849f29081aa2da09b17

    • Size

      4.2MB

    • MD5

      793ca28db749e884e8cdbae9947563ea

    • SHA1

      1bbc709062ee014f4f3a3bc2f9e21cce1f01a1ed

    • SHA256

      1baf798133a0e0a049012bf4d08b4e5179ce0179d69b7849f29081aa2da09b17

    • SHA512

      fe8da0f6f577ace0ed1a4c5612a7c7ea663d8c56d3626746f6149f9e5cc8d9c5d3880444a81b345d4cb26c7774a3341d30ecd8d8705d5b1996d2aa2a2c228604

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks