General
-
Target
5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614
-
Size
2.1MB
-
Sample
220802-chhbzafgar
-
MD5
d1d3a5dcd374f68a43e6969a8ad68b73
-
SHA1
1c2739031f26a15d613349eca5560496d38fee4e
-
SHA256
5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614
-
SHA512
3bfd7f6718f734be855708143a6c42f9dfdfcb02f46a8ccba84e2fe87b0251742c08696097d0b3aa0ccfeee712ac2e8c934ce3a2041e2ea3a9f60fb88d729971
-
SSDEEP
49152:UDtxhbTXJvWe5tLXPUMtC438/pQTKykvsSF52ZFYPAsVMq:UD7Jt+0frtC4382TKyz/FYPAsVMq
Malware Config
Extracted
cryptbot
perrr01.pro
Targets
-
-
Target
5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614
-
Size
2.1MB
-
MD5
d1d3a5dcd374f68a43e6969a8ad68b73
-
SHA1
1c2739031f26a15d613349eca5560496d38fee4e
-
SHA256
5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614
-
SHA512
3bfd7f6718f734be855708143a6c42f9dfdfcb02f46a8ccba84e2fe87b0251742c08696097d0b3aa0ccfeee712ac2e8c934ce3a2041e2ea3a9f60fb88d729971
-
SSDEEP
49152:UDtxhbTXJvWe5tLXPUMtC438/pQTKykvsSF52ZFYPAsVMq:UD7Jt+0frtC4382TKyz/FYPAsVMq
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-