Overview

overview

10

Static

static

3

SetupFile.exe

windows7-x64

10

SetupFile.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup_4_Pc_Full_2023_UseAs_PassKey.rar

  • Size

    8MB

  • Sample

    230624-w5d3lsca56

  • MD5

    267970874bfc60748e71e8f0665158b7

  • SHA1

    1719cecaa4b4304b447754389a813810b71d28ed

  • SHA256

    ac5c131fc423775c5e840131ee169828b188773713c65c39f68610e4d9d138f5

  • SHA512

    924d9af9e9230de6c9ca6d1d5a3938c3df7ca1c62b3a6652d52a3e113b202ececdb55494fec01eaefa91186f829d77e969ab81ea52fd7481522909c1f03a135e

  • SSDEEP

    196608:Q5mKeGeCWrvvIdnmmsPb5jV9VD/QTIDI5B8J5MRtH:QYGHQvvGmmsjxVUAr2RB

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

http://yfive5sb.top/gate.php

Targets

    • Target

      SetupFile.exe

    • Size

      302MB

    • MD5

      251e037ea5f3b63d268be6f74e4f2e5d

    • SHA1

      eeebc6f9fc2fdf60a4c012f935e3afb9675d14ca

    • SHA256

      79bdb4cce6b6815e44f0da4bdeb4882123410c2e51236074e2d10e0e533787f2

    • SHA512

      a515e1ae8344e58864274c1531f6819003f5412a1fdea788f54a65b4f1988b09b1e6bf629db9fdccd8508845ed9fd8543a46313d80c2e58d40351d9c9ce83ca8

    • SSDEEP

      393216:7pZS5Au5SVDMTNSG/lVrl3KExL3JzATzC:lZlQ6yhpKOx

    Score
    10/10
    cryptbotdiscoveryspywarestealer

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks