General

  • Target

    e4d6116961af51766708d62d2be4173d1e112f065fbdc0e7e77bb1c7641fa0cb

  • Size

    4.2MB

  • Sample

    220625-f6gxwsfhaj

  • MD5

    fc6fb64ee34404163af28b7e2857972d

  • SHA1

    952f925c86de0f8d6e1f6ee119485b714d69ceb5

  • SHA256

    e4d6116961af51766708d62d2be4173d1e112f065fbdc0e7e77bb1c7641fa0cb

  • SHA512

    f8cb101fb8e0502c04e09f0b76163777dd03b0480f057e17359d80e5db124c70179b4da5455af17e5ab66765f926cad133e188394381152d291e3926d2719103

Malware Config

Targets

    • Target

      e4d6116961af51766708d62d2be4173d1e112f065fbdc0e7e77bb1c7641fa0cb

    • Size

      4.2MB

    • MD5

      fc6fb64ee34404163af28b7e2857972d

    • SHA1

      952f925c86de0f8d6e1f6ee119485b714d69ceb5

    • SHA256

      e4d6116961af51766708d62d2be4173d1e112f065fbdc0e7e77bb1c7641fa0cb

    • SHA512

      f8cb101fb8e0502c04e09f0b76163777dd03b0480f057e17359d80e5db124c70179b4da5455af17e5ab66765f926cad133e188394381152d291e3926d2719103

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks