Resubmissions

22-09-2022 08:48

220922-kqfr4seebl 9

General

  • Target

    a4b20aac859ff8939885a98aa746e658.exe

  • Size

    2.5MB

  • Sample

    220922-kqfr4seebl

  • MD5

    a4b20aac859ff8939885a98aa746e658

  • SHA1

    112fefcc64e58fec53d7b6eb04392d5049d2ff7b

  • SHA256

    5e9de6cd9ab8d1b6255115d2afc575bb4865d18b75cbaead7cbe2efdf503f227

  • SHA512

    d9eed217a9347736e7ee1232f3feace9776d9d3381c0d673eab21583e1e74e3da4cc298789b4c6c6e249bf4ae5e2858f4328fbb5c189f04945e2660dd1eeacd6

  • SSDEEP

    24576:nIU9EVQdddvAjGPJXdJ/XQQIEiQaja0APtD5iQnxUXp+3pZAiAISXVmJkTxu9pks:sG2Qn7AiOAx+jtAX

Malware Config

Extracted

Family

cryptbot

C2

http://dixevd32.top/gate.php

Attributes
  • payload_url

    http://lueyob04.top/bhadon.dat

Targets

    • Target

      a4b20aac859ff8939885a98aa746e658.exe

    • Size

      2.5MB

    • MD5

      a4b20aac859ff8939885a98aa746e658

    • SHA1

      112fefcc64e58fec53d7b6eb04392d5049d2ff7b

    • SHA256

      5e9de6cd9ab8d1b6255115d2afc575bb4865d18b75cbaead7cbe2efdf503f227

    • SHA512

      d9eed217a9347736e7ee1232f3feace9776d9d3381c0d673eab21583e1e74e3da4cc298789b4c6c6e249bf4ae5e2858f4328fbb5c189f04945e2660dd1eeacd6

    • SSDEEP

      24576:nIU9EVQdddvAjGPJXdJ/XQQIEiQaja0APtD5iQnxUXp+3pZAiAISXVmJkTxu9pks:sG2Qn7AiOAx+jtAX

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks