General

  • Target

    dfa838aa7b2d2131aeb52019f617fd10f13a27db4d50cb959623bfd84ca7c109

  • Size

    2.0MB

  • Sample

    220625-gjmejaafb2

  • MD5

    c52b15f4a09ce8787319bdc694965adb

  • SHA1

    7e9629ba5ea2d5889a4e55a81ef959ed4631bcae

  • SHA256

    dfa838aa7b2d2131aeb52019f617fd10f13a27db4d50cb959623bfd84ca7c109

  • SHA512

    83045e45d98f13882887f25c80353f546f595d8f94974779971e318a31a8ab37870964eeee1c199233ee99457af89688e67a0f61bf9182a35320b844f19f3146

Malware Config

Targets

    • Target

      dfa838aa7b2d2131aeb52019f617fd10f13a27db4d50cb959623bfd84ca7c109

    • Size

      2.0MB

    • MD5

      c52b15f4a09ce8787319bdc694965adb

    • SHA1

      7e9629ba5ea2d5889a4e55a81ef959ed4631bcae

    • SHA256

      dfa838aa7b2d2131aeb52019f617fd10f13a27db4d50cb959623bfd84ca7c109

    • SHA512

      83045e45d98f13882887f25c80353f546f595d8f94974779971e318a31a8ab37870964eeee1c199233ee99457af89688e67a0f61bf9182a35320b844f19f3146

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks