General
-
Target
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30
-
Size
8.6MB
-
Sample
220625-lr98safchm
-
MD5
1d0f0178e9fe7c70684b48699b6b327a
-
SHA1
538b422631bf46c9647aac19d542cad8e910bc37
-
SHA256
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30
-
SHA512
8f0c41459589c14a8a010e1a2eadecd17c89189ef492b9828c76cd350a7af103c2e4f38dc47d38fc127a0a963a74972b8fbea7006acfbf335145372f2b0dfdb2
Malware Config
Targets
-
-
Target
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30
-
Size
8.6MB
-
MD5
1d0f0178e9fe7c70684b48699b6b327a
-
SHA1
538b422631bf46c9647aac19d542cad8e910bc37
-
SHA256
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30
-
SHA512
8f0c41459589c14a8a010e1a2eadecd17c89189ef492b9828c76cd350a7af103c2e4f38dc47d38fc127a0a963a74972b8fbea7006acfbf335145372f2b0dfdb2
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-