Extracted

• • Target

    5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614

  • Size

    2.1MB

  • MD5

    d1d3a5dcd374f68a43e6969a8ad68b73

  • SHA1

    1c2739031f26a15d613349eca5560496d38fee4e

  • SHA256

    5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614

  • SHA512

    3bfd7f6718f734be855708143a6c42f9dfdfcb02f46a8ccba84e2fe87b0251742c08696097d0b3aa0ccfeee712ac2e8c934ce3a2041e2ea3a9f60fb88d729971

  • SSDEEP

    49152:UDtxhbTXJvWe5tLXPUMtC438/pQTKykvsSF52ZFYPAsVMq:UD7Jt+0frtC4382TKyz/FYPAsVMq

  Score

  10^/10

  cryptbotdiscoveryevasionspywarestealer

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2