General

  • Target

    7664dc0aab0b07a94f77928fc63dd6704476e674b61b83a7661c428cd5c99f94

  • Size

    2.1MB

  • Sample

    220625-f5h4kaaae6

  • MD5

    cf00fa6f1bade998bdc0eeed54115d47

  • SHA1

    9e0f849f19f303cd387dcf01f0a9936be03cf9ed

  • SHA256

    7664dc0aab0b07a94f77928fc63dd6704476e674b61b83a7661c428cd5c99f94

  • SHA512

    7a16ed3cf1bdc4cef6fd06d39215b409a3097759ddc11e7738b00d7bfa643932864f92687dc4ff788ce2e7aebdd32c0c5cff72d03b16a6901ee02d945179f6be

Malware Config

Targets

    • Target

      7664dc0aab0b07a94f77928fc63dd6704476e674b61b83a7661c428cd5c99f94

    • Size

      2.1MB

    • MD5

      cf00fa6f1bade998bdc0eeed54115d47

    • SHA1

      9e0f849f19f303cd387dcf01f0a9936be03cf9ed

    • SHA256

      7664dc0aab0b07a94f77928fc63dd6704476e674b61b83a7661c428cd5c99f94

    • SHA512

      7a16ed3cf1bdc4cef6fd06d39215b409a3097759ddc11e7738b00d7bfa643932864f92687dc4ff788ce2e7aebdd32c0c5cff72d03b16a6901ee02d945179f6be

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks