Resubmissions

16-01-2023 10:07

230116-l5vegshc3x 10

10-01-2023 20:37

230110-zebfksdc9t 10

10-01-2023 18:54

230110-xkgtfach4v 8

10-01-2023 18:48

230110-xf68jacg9t 8

10-01-2023 18:47

230110-xfkpjaha65 8

10-01-2023 18:44

230110-xdm2wacg6t 8

General

  • Target

    Bonzify.exe

  • Size

    6MB

  • Sample

    230116-l5vegshc3x

  • MD5

    fba93d8d029e85e0cde3759b7903cee2

  • SHA1

    525b1aa549188f4565c75ab69e51f927204ca384

  • SHA256

    66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

  • SHA512

    7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

  • SSDEEP

    196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:OaWedh+Idx75QYub//73lc6u7bLMYxD

Malware Config

Extracted

Family

cryptbot

C2

http://quwsgq110.top/gate.php

Targets

    • Target

      Bonzify.exe

    • Size

      6MB

    • MD5

      fba93d8d029e85e0cde3759b7903cee2

    • SHA1

      525b1aa549188f4565c75ab69e51f927204ca384

    • SHA256

      66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

    • SHA512

      7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

    • SSDEEP

      196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:OaWedh+Idx75QYub//73lc6u7bLMYxD

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Possible privilege escalation attempt

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Tasks