General

  • Target

    1f6f84590c65b33e57d56ac58723bb255342a8cc9290ad7cf54041c9ad5103ae

  • Size

    2.2MB

  • Sample

    220612-wkbfzsedd5

  • MD5

    c9f0723f619ad123e8f27adf28646d56

  • SHA1

    1093e9089c4b0dad95cbb09c2953eb4aaf439966

  • SHA256

    1f6f84590c65b33e57d56ac58723bb255342a8cc9290ad7cf54041c9ad5103ae

  • SHA512

    51d7781b1160f633e221d877cba33a12ee65d2a75e3e429d53b18f4768996e1e0ea0578096963ab0cf70dd4873ad0084efc02fad45a3a773ab3fe7ab9f256b47

Malware Config

Targets

    • Target

      1f6f84590c65b33e57d56ac58723bb255342a8cc9290ad7cf54041c9ad5103ae

    • Size

      2.2MB

    • MD5

      c9f0723f619ad123e8f27adf28646d56

    • SHA1

      1093e9089c4b0dad95cbb09c2953eb4aaf439966

    • SHA256

      1f6f84590c65b33e57d56ac58723bb255342a8cc9290ad7cf54041c9ad5103ae

    • SHA512

      51d7781b1160f633e221d877cba33a12ee65d2a75e3e429d53b18f4768996e1e0ea0578096963ab0cf70dd4873ad0084efc02fad45a3a773ab3fe7ab9f256b47

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks