General
-
Target
81c1a4c3135df84530588d812b9c860b.bin
-
Size
686KB
-
Sample
230313-m1t4laaa67
-
MD5
8d0c1bd0f3438f48727630462aa2f207
-
SHA1
a31f0650026f0fc7ca79f8aee33258f7d6cebfd1
-
SHA256
6db46a415105be7b2100d831c76616ce2ccce65a8a0b84b9e8fe8d74e25385b0
-
SHA512
463a21d7aa486aa4715114ef303bf477e9c7b759cd1dad22547219f136f5f87ca9287e98e945b4b390dae433bf84cec0698a8ee88a8ff39fbcebc6944f34cdc1
-
SSDEEP
12288:R+KdkTCfiCej2g9gnVRbU21N1jM4DBZ2P1F4na4oK9:R+KdkmuR+bUStfWn4b
Static task
static1
Behavioral task
behavioral1
Sample
3654fad9d471a913d6a4e4669c4cf6d0d93c35218d35793db325079a9f2bcb31.exe
Resource
win7-20230220-en
Malware Config
Extracted
cryptbot
http://lahxam72.top/gate.php
-
payload_url
http://ahowyg10.top/phylum.dat
Targets
-
-
Target
3654fad9d471a913d6a4e4669c4cf6d0d93c35218d35793db325079a9f2bcb31.exe
-
Size
795KB
-
MD5
81c1a4c3135df84530588d812b9c860b
-
SHA1
d98e1eade1b6d333716cf47015e22208e04d4cd3
-
SHA256
3654fad9d471a913d6a4e4669c4cf6d0d93c35218d35793db325079a9f2bcb31
-
SHA512
92958f6899b357bf5014e7a547ef9e50af76607bd8bd9d737eb94c20283bff91a60cbbea8869820ebab816770f3762caa843235757e5d724f69978b005b070a1
-
SSDEEP
24576:AjULrWjEXNmzNqyRYpU/sdMgQf/HhmYs4ykvWiH:AqrFXNmz8yKpUCRmBs4y8Z
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-