General

  • Target

    183c36ee3ad752f285926be4964605bc382369baea99bb528a14f34f24fd1a0f

  • Size

    4.2MB

  • Sample

    220608-wngr6sagcj

  • MD5

    ea139ce157017edaa2f1e02a542511f1

  • SHA1

    232813abc1d12b97993d003856576888aa726fbd

  • SHA256

    183c36ee3ad752f285926be4964605bc382369baea99bb528a14f34f24fd1a0f

  • SHA512

    6dbd95b8408ba2bb6912c4317b9604ccb887891ba14506588df7756a6b1ca6337c22c3edbcadaec0b4fdc50e5c55c682d6f6182535082e8cc608899602bea8bf

Malware Config

Targets

    • Target

      183c36ee3ad752f285926be4964605bc382369baea99bb528a14f34f24fd1a0f

    • Size

      4.2MB

    • MD5

      ea139ce157017edaa2f1e02a542511f1

    • SHA1

      232813abc1d12b97993d003856576888aa726fbd

    • SHA256

      183c36ee3ad752f285926be4964605bc382369baea99bb528a14f34f24fd1a0f

    • SHA512

      6dbd95b8408ba2bb6912c4317b9604ccb887891ba14506588df7756a6b1ca6337c22c3edbcadaec0b4fdc50e5c55c682d6f6182535082e8cc608899602bea8bf

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks