General

  • Target

    ed2016e5a142c6f2e535b09d5484444c

  • Size

    2.7MB

  • Sample

    231222-ttwgeahde3

  • MD5

    ed2016e5a142c6f2e535b09d5484444c

  • SHA1

    1d407332bf5e38c390b262420720498c3094793b

  • SHA256

    fab26cf1ace3f730e2dc4016f5b0d9e5937ad5d1c38220d824324347508ac2a0

  • SHA512

    c4c25b376db0a819480b120e49e600647bd80697fb141a69e7a2062347a7d0a1d540cde3aadc3933a2912c2fccf34506b8e89c81c1e8aa86f4e06b43348a15a0

  • SSDEEP

    49152:dn5RSbTUZiZNZwAEl8doRpBPATwbPC1W7kq3jIsEQirxPGL4YR:dUFeAwbK1WgqUsl6aR

Malware Config

Extracted

Family

cryptbot

C2

rasbrq34.top

moryei03.top

Targets

    • Target

      ed2016e5a142c6f2e535b09d5484444c

    • Size

      2.7MB

    • MD5

      ed2016e5a142c6f2e535b09d5484444c

    • SHA1

      1d407332bf5e38c390b262420720498c3094793b

    • SHA256

      fab26cf1ace3f730e2dc4016f5b0d9e5937ad5d1c38220d824324347508ac2a0

    • SHA512

      c4c25b376db0a819480b120e49e600647bd80697fb141a69e7a2062347a7d0a1d540cde3aadc3933a2912c2fccf34506b8e89c81c1e8aa86f4e06b43348a15a0

    • SSDEEP

      49152:dn5RSbTUZiZNZwAEl8doRpBPATwbPC1W7kq3jIsEQirxPGL4YR:dUFeAwbK1WgqUsl6aR

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks