General

  • Target

    5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614

  • Size

    2MB

  • Sample

    220802-chhbzafgar

  • MD5

    d1d3a5dcd374f68a43e6969a8ad68b73

  • SHA1

    1c2739031f26a15d613349eca5560496d38fee4e

  • SHA256

    5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614

  • SHA512

    3bfd7f6718f734be855708143a6c42f9dfdfcb02f46a8ccba84e2fe87b0251742c08696097d0b3aa0ccfeee712ac2e8c934ce3a2041e2ea3a9f60fb88d729971

  • SSDEEP

    49152:UDtxhbTXJvWe5tLXPUMtC438/pQTKykvsSF52ZFYPAsVMq:UD7Jt+0frtC4382TKyz/FYPAsVMq

Malware Config

Extracted

Family

cryptbot

C2

perrr01.pro

Targets

    • Target

      5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614

    • Size

      2MB

    • MD5

      d1d3a5dcd374f68a43e6969a8ad68b73

    • SHA1

      1c2739031f26a15d613349eca5560496d38fee4e

    • SHA256

      5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614

    • SHA512

      3bfd7f6718f734be855708143a6c42f9dfdfcb02f46a8ccba84e2fe87b0251742c08696097d0b3aa0ccfeee712ac2e8c934ce3a2041e2ea3a9f60fb88d729971

    • SSDEEP

      49152:UDtxhbTXJvWe5tLXPUMtC438/pQTKykvsSF52ZFYPAsVMq:UD7Jt+0frtC4382TKyz/FYPAsVMq

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Tasks