Overview

overview

10

Static

static

1

7ede0b1138...f5.exe

windows7-x64

10

7ede0b1138...f5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a0543f4768b6938e07393baa1301a3a5.bin

  • Size

    6.5MB

  • Sample

    230401-b5tsvafb52

  • MD5

    fd8e6a4deafcc157efebbf0b7556de67

  • SHA1

    f293a8e03e5caebda0d3d61f99c80e32a77de858

  • SHA256

    010d4f5cb4436951944f73360fd938ec676331de4b6a02e6c220c95f58970559

  • SHA512

    59668e7674c0806ab7095e1a6210089e14f08d6a44c4caa024ecc287e26215f41fb9507c5797486695df27cafa439552bc2a71bb924fd8b82ea6f65435a4186d

  • SSDEEP

    196608:CYOTk8oAjEO2KUhEfGc+cPCEc0Hn2NkV14:C/k8og2KUClP/HrY

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      7ede0b1138f235629f0e3539de7f0b225b9e9f9ca4855aca0e9ccaeab0731bf5.exe

    • Size

      6.8MB

    • MD5

      a0543f4768b6938e07393baa1301a3a5

    • SHA1

      a2fc8528c2b25145f4f87265ae229379839d8b79

    • SHA256

      7ede0b1138f235629f0e3539de7f0b225b9e9f9ca4855aca0e9ccaeab0731bf5

    • SHA512

      c77e81df7149c042c691a6fec6499c2095de5f4dbfba5a57e94080dc78e6d944eabbfd403823119d62f0f4641d5929be0e52afb9c46d18508ae855c4f0a2af5b

    • SSDEEP

      196608:RkAYBdNTUeMyEg/CN95K1o8TE4eOnTGcwdb:Rk5dNo2Eg6N95ghE4lTKdb

    Score
    10/10
    cryptbotdiscoveryevasionspywarestealerthemidatrojan

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks