General

  • Target

    f0da202c3b697d4d08afd7b1229d13d07d560510fbf8ff68004f55eb949258e1

  • Size

    4.4MB

  • Sample

    220625-h74jdsdcc6

  • MD5

    5b60cf15a4eb4f9e2046cebd24eae1e6

  • SHA1

    28c2b1b6562c92af7c178a3baf02dd247aa071b7

  • SHA256

    f0da202c3b697d4d08afd7b1229d13d07d560510fbf8ff68004f55eb949258e1

  • SHA512

    83ce68542c72af571776c55f775be7d01b85da5f478513aa99cee4d0b82a8ba213b2d381286a68b90a06842e56e1444b6fe489a0de377b03a1554a5b6e5d550c

Malware Config

Targets

    • Target

      f0da202c3b697d4d08afd7b1229d13d07d560510fbf8ff68004f55eb949258e1

    • Size

      4.4MB

    • MD5

      5b60cf15a4eb4f9e2046cebd24eae1e6

    • SHA1

      28c2b1b6562c92af7c178a3baf02dd247aa071b7

    • SHA256

      f0da202c3b697d4d08afd7b1229d13d07d560510fbf8ff68004f55eb949258e1

    • SHA512

      83ce68542c72af571776c55f775be7d01b85da5f478513aa99cee4d0b82a8ba213b2d381286a68b90a06842e56e1444b6fe489a0de377b03a1554a5b6e5d550c

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks