General
-
Target
396ad8d37a4ed7751a9f142a0c23818c.exe
-
Size
3MB
-
Sample
230402-sa124sab9z
-
MD5
396ad8d37a4ed7751a9f142a0c23818c
-
SHA1
91e007c643bda9553e57de1c3c4aa87e15d244ea
-
SHA256
9d7b0ff63257985d614d7503b396b8d9ce6c2fcb5bcecbcbfcfbad9560da9ffe
-
SHA512
09e87973ccc09af79c554a38d8e87656a39c6209ce68d36636fc28e120709ebefeab8e4368d165d89d77d71d6f23e2b8af9702e3bd2ae42fa6f85475cf4d2462
-
SSDEEP
49152:yKY2GhhspR5RKJsBwQcE7Eg+O1SS6xEsSQcb0kIFs9ke:yKY2Ghh0AqrNRRG8
Malware Config
Extracted
cryptbot
http://ivyves72.top/gate.php
-
payload_url
http://womuyt10.top/thraep.dat
Targets
-
-
Target
396ad8d37a4ed7751a9f142a0c23818c.exe
-
Size
3MB
-
MD5
396ad8d37a4ed7751a9f142a0c23818c
-
SHA1
91e007c643bda9553e57de1c3c4aa87e15d244ea
-
SHA256
9d7b0ff63257985d614d7503b396b8d9ce6c2fcb5bcecbcbfcfbad9560da9ffe
-
SHA512
09e87973ccc09af79c554a38d8e87656a39c6209ce68d36636fc28e120709ebefeab8e4368d165d89d77d71d6f23e2b8af9702e3bd2ae42fa6f85475cf4d2462
-
SSDEEP
49152:yKY2GhhspR5RKJsBwQcE7Eg+O1SS6xEsSQcb0kIFs9ke:yKY2Ghh0AqrNRRG8
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-