General

  • Target

    0717b0716f92e0312ed1ef6e175a91ce

  • Size

    1.7MB

  • Sample

    231224-vjlpwsefhr

  • MD5

    0717b0716f92e0312ed1ef6e175a91ce

  • SHA1

    034c08e32001d6d8f9d8938989c7141b172c97a5

  • SHA256

    040dbcbaa8017799c3f0e383ab3a12b996048c6fcf8b78e43ddb091e8d10b8ad

  • SHA512

    264b3f794e1420d78892bedaac30443d4ae781f0e3955c7e2e5a60cf8f206947fbcb9e7a21e579bd0b5b5bd2b0982936f7a36e5ec3ed215d5b9664423ab91815

  • SSDEEP

    49152:QJrVFFTlF5YGpMt+Au1cT/3YrO1eoAxV8I2v2a:QJrHFdbAlDIHoI3

Malware Config

Extracted

Family

cryptbot

C2

smajug75.top

moriwi07.top

Attributes
  • payload_url

    http://guruzo10.top/download.php?file=lv.exe

Targets

    • Target

      0717b0716f92e0312ed1ef6e175a91ce

    • Size

      1.7MB

    • MD5

      0717b0716f92e0312ed1ef6e175a91ce

    • SHA1

      034c08e32001d6d8f9d8938989c7141b172c97a5

    • SHA256

      040dbcbaa8017799c3f0e383ab3a12b996048c6fcf8b78e43ddb091e8d10b8ad

    • SHA512

      264b3f794e1420d78892bedaac30443d4ae781f0e3955c7e2e5a60cf8f206947fbcb9e7a21e579bd0b5b5bd2b0982936f7a36e5ec3ed215d5b9664423ab91815

    • SSDEEP

      49152:QJrVFFTlF5YGpMt+Au1cT/3YrO1eoAxV8I2v2a:QJrHFdbAlDIHoI3

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks