General
-
Target
21f1e57607e3734bd31d55b02f3fbb9e.exe
-
Size
791KB
-
Sample
230316-rnzkrsbb67
-
MD5
21f1e57607e3734bd31d55b02f3fbb9e
-
SHA1
2653db1285efc7b847bb56a4e6a5434b03350ac5
-
SHA256
6d6a5f70a5f8d597d4074ac0c2d84dd9ed5f41aa39305f4260b831a03bec4569
-
SHA512
833a04a5edb72e31c5926907f317132c28b1d19be25d6f4fa74292d1da24eeb0f4a72968d0ae79d3c09e4d1e0010196ab92fab4e80385b690e96e28a3adca66c
-
SSDEEP
24576:eaO+WvtXJNDY+mfQ2p0WGstpe8gNZ4bG58b4H:ex+KZNDvmfd+WGsi4658M
Static task
static1
Behavioral task
behavioral1
Sample
21f1e57607e3734bd31d55b02f3fbb9e.exe
Resource
win7-20230220-en
Malware Config
Extracted
cryptbot
http://erniku42.top/gate.php
-
payload_url
http://ovapfa05.top/unfele
Targets
-
-
Target
21f1e57607e3734bd31d55b02f3fbb9e.exe
-
Size
791KB
-
MD5
21f1e57607e3734bd31d55b02f3fbb9e
-
SHA1
2653db1285efc7b847bb56a4e6a5434b03350ac5
-
SHA256
6d6a5f70a5f8d597d4074ac0c2d84dd9ed5f41aa39305f4260b831a03bec4569
-
SHA512
833a04a5edb72e31c5926907f317132c28b1d19be25d6f4fa74292d1da24eeb0f4a72968d0ae79d3c09e4d1e0010196ab92fab4e80385b690e96e28a3adca66c
-
SSDEEP
24576:eaO+WvtXJNDY+mfQ2p0WGstpe8gNZ4bG58b4H:ex+KZNDvmfd+WGsi4658M
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-