General

  • Target

    1313db05f0d346735901409c9744fbb2

  • Size

    1.7MB

  • Sample

    231225-kq5fgaefd2

  • MD5

    1313db05f0d346735901409c9744fbb2

  • SHA1

    8f453f22996b0d64d5f4308e4d0a3f12741bb5af

  • SHA256

    d57c28e05a2924cf8113320efa41d79bcedd8d327f51de7e364a5cb984453290

  • SHA512

    70b244da56efc533a8e80161b1c152b96f5f34fd4e7e6abe8a9e19ade9b0f4578e10cf9312c20d37a4eac68c75de47f2f1f1c17cde6a86a69b231d974ab030ab

  • SSDEEP

    49152:Kkj/p1Vid8TS3RGL3vgSwVd7Tuoqo+EeZM:Zhni+mBGTvtwLvuoqlM

Malware Config

Extracted

Family

cryptbot

C2

ewadgz11.top

morvay01.top

Attributes
  • payload_url

    http://winezo01.top/download.php?file=lv.exe

Targets

    • Target

      1313db05f0d346735901409c9744fbb2

    • Size

      1.7MB

    • MD5

      1313db05f0d346735901409c9744fbb2

    • SHA1

      8f453f22996b0d64d5f4308e4d0a3f12741bb5af

    • SHA256

      d57c28e05a2924cf8113320efa41d79bcedd8d327f51de7e364a5cb984453290

    • SHA512

      70b244da56efc533a8e80161b1c152b96f5f34fd4e7e6abe8a9e19ade9b0f4578e10cf9312c20d37a4eac68c75de47f2f1f1c17cde6a86a69b231d974ab030ab

    • SSDEEP

      49152:Kkj/p1Vid8TS3RGL3vgSwVd7Tuoqo+EeZM:Zhni+mBGTvtwLvuoqlM

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks