General

  • Target

    1e13665ad9d89eb7942a5875e0c604fa.bin

  • Size

    686KB

  • Sample

    230319-v5y74sbe4y

  • MD5

    33b7508e3e5582e210126c9701ce9039

  • SHA1

    28088d2ddaf87f2841e638649156d5ef3b649baf

  • SHA256

    a3897abda1093a13b75485b7bced049c0a36e625855431086248d137a2c47602

  • SHA512

    bee9595fc3b08e4f538462f3af3e514425791ef2f4994fea99f02fed0d79e664b842d9a5be68df0e30c6c6616e071ee759614540e740f753ff9942b2e8dd02c0

  • SSDEEP

    12288:y6xyXSenz5DWqbwIkuuW3/75u8tv9QSFpTE4Rlp/STtPSpt1xK:y6ten9L0IkuR75ndeOpTE2EtPSbK

Malware Config

Extracted

Family

cryptbot

C2

http://ernwld52.top/gate.php

Targets

    • Target

      8d6a5494e1ac90fc86b7c3715bbc55f654b1c4b9d8c589dd1229c3c4092cb49f.exe

    • Size

      791KB

    • MD5

      1e13665ad9d89eb7942a5875e0c604fa

    • SHA1

      c6fe2dfee757ad9562d6f0e97d4ed5a30f45a4f4

    • SHA256

      8d6a5494e1ac90fc86b7c3715bbc55f654b1c4b9d8c589dd1229c3c4092cb49f

    • SHA512

      f26716348506b6f3696d3311e839973b82da63b176ff3a6d82979fb519d9ebce92b4cb46677723f2fb0a4097fd5cf4cde2109d066d2f8dcabf0c228f29e6f062

    • SSDEEP

      24576:agra80EMvFtQWwLI5R9le/nbHrrYCDjDaO1dH:7rktwuR9srDSah

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks