Overview

overview

10

Static

static

e0cd873e8a...d3.exe

windows7-x64

10

e0cd873e8a...d3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e0cd873e8a101ca2c1dd875419eb96526c9844e740b00148c09fc79f63dfacd3

  • Size

    4.1MB

  • Sample

    220724-1svl2saaer

  • MD5

    ab1c4dcbc73ef4eb7e6cf05137c31ade

  • SHA1

    786798811176b23a2913cbb334c42d043b793fda

  • SHA256

    e0cd873e8a101ca2c1dd875419eb96526c9844e740b00148c09fc79f63dfacd3

  • SHA512

    278f4a6b9e1547e933ffd2030bc783f246f88399efefce613ac83cebde5521fad048b0f76fb42736878094f6d0afffcffd35d9ba6d0010c519cd76aaa9feb2c1

Score
10/10
cryptbotdiscoveryevasionspywarestealersuricata

Malware Config

Targets

    • Target

      e0cd873e8a101ca2c1dd875419eb96526c9844e740b00148c09fc79f63dfacd3

    • Size

      4.1MB

    • MD5

      ab1c4dcbc73ef4eb7e6cf05137c31ade

    • SHA1

      786798811176b23a2913cbb334c42d043b793fda

    • SHA256

      e0cd873e8a101ca2c1dd875419eb96526c9844e740b00148c09fc79f63dfacd3

    • SHA512

      278f4a6b9e1547e933ffd2030bc783f246f88399efefce613ac83cebde5521fad048b0f76fb42736878094f6d0afffcffd35d9ba6d0010c519cd76aaa9feb2c1

    Score
    10/10
    discoveryevasionspywarestealersuricatacryptbot

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks