General

  • Target

    1b24b813b81daa68d954a2ae89d9ad495ff14e9ff1cc5bc0e6a1c265f7059028

  • Size

    1.6MB

  • Sample

    220607-yc3avaegel

  • MD5

    de0a67addb6c8fab19e29fdcd949725c

  • SHA1

    2829056cdc8f189eaa8559bca8f2f8aa6277dc05

  • SHA256

    1b24b813b81daa68d954a2ae89d9ad495ff14e9ff1cc5bc0e6a1c265f7059028

  • SHA512

    5b7232e2173d8b7ecaba546f98fd0ec107565a8f110e195efa4fdd5ac8399130136d1185021c1bdf30fe32d4a0226052c7313d59db3cfd6f2792a06541541e52

Malware Config

Extracted

Family

cryptbot

C2

sogjge55.top

moratr05.top

Attributes
  • payload_url

    http://douydw07.top/download.php?file=lv.exe

Targets

    • Target

      1b24b813b81daa68d954a2ae89d9ad495ff14e9ff1cc5bc0e6a1c265f7059028

    • Size

      1.6MB

    • MD5

      de0a67addb6c8fab19e29fdcd949725c

    • SHA1

      2829056cdc8f189eaa8559bca8f2f8aa6277dc05

    • SHA256

      1b24b813b81daa68d954a2ae89d9ad495ff14e9ff1cc5bc0e6a1c265f7059028

    • SHA512

      5b7232e2173d8b7ecaba546f98fd0ec107565a8f110e195efa4fdd5ac8399130136d1185021c1bdf30fe32d4a0226052c7313d59db3cfd6f2792a06541541e52

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks