General

  • Target

    c72c7fe540d28b77edb815026e2261d4dd8bda82b7740e4df5ce7de4aa30da59

  • Size

    3.8MB

  • Sample

    220625-hcf5lsbhc3

  • MD5

    6a6f0959ee91afc0ed79d8d448f68ae9

  • SHA1

    699aa8e7f794b7f96ece378a9ca8f81adac37cfe

  • SHA256

    c72c7fe540d28b77edb815026e2261d4dd8bda82b7740e4df5ce7de4aa30da59

  • SHA512

    a478f317fc850ec763d4887c515d6de7a6b7d1f26076322bce9753f48e7a25cbcbb21d5e95fe0cebf10038adfa60e82785f7390270689a3ccb17879cfe531393

Malware Config

Targets

    • Target

      c72c7fe540d28b77edb815026e2261d4dd8bda82b7740e4df5ce7de4aa30da59

    • Size

      3.8MB

    • MD5

      6a6f0959ee91afc0ed79d8d448f68ae9

    • SHA1

      699aa8e7f794b7f96ece378a9ca8f81adac37cfe

    • SHA256

      c72c7fe540d28b77edb815026e2261d4dd8bda82b7740e4df5ce7de4aa30da59

    • SHA512

      a478f317fc850ec763d4887c515d6de7a6b7d1f26076322bce9753f48e7a25cbcbb21d5e95fe0cebf10038adfa60e82785f7390270689a3ccb17879cfe531393

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks