General

  • Target

    8d73be767e66ca02320224ff435d7b596b8c4b0e3e677e59b442d912f6b318ac

  • Size

    4.3MB

  • Sample

    220625-fr9z5afcgq

  • MD5

    8867b41d34ac2cef93268f87c00b30ab

  • SHA1

    2c9c3b37b961464fc62eb3a04b5d32445bc40d88

  • SHA256

    8d73be767e66ca02320224ff435d7b596b8c4b0e3e677e59b442d912f6b318ac

  • SHA512

    cfd49a8994945e578b4db7511467c444f2ec9cacf285e88a9a4d5dac9b88930450ae4e9971b2eedd6bb3a69d88616500c6b362940c2a6e25489358ea52f7ab18

Malware Config

Targets

    • Target

      8d73be767e66ca02320224ff435d7b596b8c4b0e3e677e59b442d912f6b318ac

    • Size

      4.3MB

    • MD5

      8867b41d34ac2cef93268f87c00b30ab

    • SHA1

      2c9c3b37b961464fc62eb3a04b5d32445bc40d88

    • SHA256

      8d73be767e66ca02320224ff435d7b596b8c4b0e3e677e59b442d912f6b318ac

    • SHA512

      cfd49a8994945e578b4db7511467c444f2ec9cacf285e88a9a4d5dac9b88930450ae4e9971b2eedd6bb3a69d88616500c6b362940c2a6e25489358ea52f7ab18

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks