General

  • Target

    f1bdd41d2cc2e0c7352f470e9ab5e13892d6e6bf5b1409a0455bcd1db8667e29

  • Size

    2.2MB

  • Sample

    220625-ffl4xshac3

  • MD5

    bed2d501ed1168ecd1f9d5972d3df19a

  • SHA1

    444cd628b3d89ff5c19fe6bd3ed67a31cee17534

  • SHA256

    f1bdd41d2cc2e0c7352f470e9ab5e13892d6e6bf5b1409a0455bcd1db8667e29

  • SHA512

    c9c9f5e6330c7831eec60dfaf8544d5537c37c6fa34dcfedc5e51875bc870f9e62718bb2a42e9292ad2c46381af6b6083b86982c9322e49847a58822064b2b53

Malware Config

Targets

    • Target

      f1bdd41d2cc2e0c7352f470e9ab5e13892d6e6bf5b1409a0455bcd1db8667e29

    • Size

      2.2MB

    • MD5

      bed2d501ed1168ecd1f9d5972d3df19a

    • SHA1

      444cd628b3d89ff5c19fe6bd3ed67a31cee17534

    • SHA256

      f1bdd41d2cc2e0c7352f470e9ab5e13892d6e6bf5b1409a0455bcd1db8667e29

    • SHA512

      c9c9f5e6330c7831eec60dfaf8544d5537c37c6fa34dcfedc5e51875bc870f9e62718bb2a42e9292ad2c46381af6b6083b86982c9322e49847a58822064b2b53

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks