General

  • Target

    af92a902d7a44c35209751a6a4ea76b7.exe

  • Size

    795KB

  • Sample

    230303-w26nfsah57

  • MD5

    af92a902d7a44c35209751a6a4ea76b7

  • SHA1

    84df082d9587ca24dd30da7b252cb7a37006c42a

  • SHA256

    bc8a51ae8941791b3322fcec60bd7d450c80ad7d5625084f9e59dd580883d609

  • SHA512

    8358c3a413007452052b7158c3f92f51cf305828c1818afa2f3f124b2113dbbbff34b79343608f7860bde75ae392a978f1d559b478858cf0d3738a4b97e2c4d0

  • SSDEEP

    24576:v1Mxt5hLFiFMw57enjaEpWCb54PRvzQsWsWZhq8VLFH:29howkCUQDqat

Malware Config

Extracted

Family

cryptbot

C2

http://xjupom52.top/gate.php

Attributes
  • payload_url

    http://rymhdi07.top/zither.dat

Targets

    • Target

      af92a902d7a44c35209751a6a4ea76b7.exe

    • Size

      795KB

    • MD5

      af92a902d7a44c35209751a6a4ea76b7

    • SHA1

      84df082d9587ca24dd30da7b252cb7a37006c42a

    • SHA256

      bc8a51ae8941791b3322fcec60bd7d450c80ad7d5625084f9e59dd580883d609

    • SHA512

      8358c3a413007452052b7158c3f92f51cf305828c1818afa2f3f124b2113dbbbff34b79343608f7860bde75ae392a978f1d559b478858cf0d3738a4b97e2c4d0

    • SSDEEP

      24576:v1Mxt5hLFiFMw57enjaEpWCb54PRvzQsWsWZhq8VLFH:29howkCUQDqat

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks