Overview

overview

10

Static

static

1

KMS_Pico_F...up.zip

windows7-x64

1

KMS_Pico_F...up.zip

windows10-2004-x64

1

Password.txt

windows7-x64

1

Password.txt

windows10-2004-x64

1

Setup_File...co.exe

windows7-x64

10

Setup_File...co.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KMS_Pico_Full_Setup.zip

  • Size

    5.8MB

  • Sample

    230518-vxll2sdb62

  • MD5

    55dcba3a2637da79ca9180eb2cbdd058

  • SHA1

    8c445ebd0bdc8eb148c975781afcb3c696587736

  • SHA256

    abcd458d20f7a902794b58d130de3dc4036a44f2eab26a53c5bb04b15afc6903

  • SHA512

    16bb79d694cab4d9387641b9dbcf178ee33045b4a6f337382ebbce34341a92bfcca99fa9e15f448677db85f974995463cde3cb2facfba88e5a709b2d93b66993

  • SSDEEP

    98304:OWEQUJXXm/g9e6AI46ZLhRFtZybLTlc2Y9Yn870K/WqFe7wfiv3aALQ6tZ62Aew:OWE9XXmIJAI4Q2l5Y9YLwFeWaZrP62Aj

Score
10/10
cryptbotdiscoverypersistencespywarestealerupx

Malware Config

Extracted

Family

cryptbot

C2

http://yawfyx24.top/gate.php

Targets

    • Target

      KMS_Pico_Full_Setup.zip

    • Size

      5.8MB

    • MD5

      55dcba3a2637da79ca9180eb2cbdd058

    • SHA1

      8c445ebd0bdc8eb148c975781afcb3c696587736

    • SHA256

      abcd458d20f7a902794b58d130de3dc4036a44f2eab26a53c5bb04b15afc6903

    • SHA512

      16bb79d694cab4d9387641b9dbcf178ee33045b4a6f337382ebbce34341a92bfcca99fa9e15f448677db85f974995463cde3cb2facfba88e5a709b2d93b66993

    • SSDEEP

      98304:OWEQUJXXm/g9e6AI46ZLhRFtZybLTlc2Y9Yn870K/WqFe7wfiv3aALQ6tZ62Aew:OWE9XXmIJAI4Q2l5Y9YLwFeWaZrP62Aj

    Score
    1/10
    behavioral1behavioral2

    • Target

      Password.txt

    • Size

      18B

    • MD5

      c44669219a77bcb6e04ccc9a7dc8905b

    • SHA1

      cc10be56e2a5415ed3ed286734bee8f0741d92bd

    • SHA256

      8406e6d1a644f797995907ec0a18d8104d1e8c5ffac8f4f874c11e5d92aff969

    • SHA512

      2ea589c6612eaae6fdc3613df8438df4df92c76e39ba527f07477635d8e86ad4d473c941b77cadd3195cba4296ed3eb5d1f57c5b100279617b6a3399d880fbe2

    Score
    1/10
    behavioral3behavioral4

    • Target

      Setup_File_KMS_Pico.exe

    • Size

      5.9MB

    • MD5

      c2b81d548b4dd613a4ff3f3c05ea6716

    • SHA1

      3a0fce6c9030d95bd4d825a0e5eb9bdd7d442c75

    • SHA256

      057c4de6f0478c0abfa1f6ceb87be4381e1ac2a6ab5ab0bc0bfbf8e18de40cfe

    • SHA512

      beccbc9105da411667b83f7028df90ecd17e9d494f0535df4635cdc31b8a83e0c74b18d54223308d37095583683318ae548cb37a54f9a634a37e6d61d125b3e0

    • SSDEEP

      98304:5bQqRZbDm1gvsKm4U65d3JfHJ8bdvlC+chgnCN0g7YqBw/qfipVQMDkGhRCogKP:5BbDmuHm4U+Ml7chgVUBw4ELbHCogKP

    Score
    10/10
    cryptbotdiscoverypersistencespywarestealerupx

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

New Service

1
T1050

Scheduled Task

1
T1053

Privilege Escalation

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks