General

  • Target

    ef3eb2d2f41b013f9ea91d2341504dc3f4dcca244ca37853e87577f870945882

  • Size

    6.3MB

  • Sample

    240906-l9rt6a1djb

  • MD5

    71c2237a47fb22f1a0f18c607922d961

  • SHA1

    4a8fd6856e5cdb6e16bcd5bf7e51dfe451e00d57

  • SHA256

    ef3eb2d2f41b013f9ea91d2341504dc3f4dcca244ca37853e87577f870945882

  • SHA512

    e83c37407b412acbb1e31c00717ee14db18ba44ad61c38c1804519f812e5f555bfb9b009a6e60bdb9e9660a8edb95cb126e326849267a4ac774c89d060dbfabd

  • SSDEEP

    49152:ME9iLsYFZK55qIeTnCp9XdeOzamT0q7bunoh4HRLYipbY9wty7pu2Y1gwsfWY/RN:J2+5JeYt/T06unoaHF77F3zOJGP12

Malware Config

Extracted

Family

cryptbot

C2

threv3pt.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      ef3eb2d2f41b013f9ea91d2341504dc3f4dcca244ca37853e87577f870945882

    • Size

      6.3MB

    • MD5

      71c2237a47fb22f1a0f18c607922d961

    • SHA1

      4a8fd6856e5cdb6e16bcd5bf7e51dfe451e00d57

    • SHA256

      ef3eb2d2f41b013f9ea91d2341504dc3f4dcca244ca37853e87577f870945882

    • SHA512

      e83c37407b412acbb1e31c00717ee14db18ba44ad61c38c1804519f812e5f555bfb9b009a6e60bdb9e9660a8edb95cb126e326849267a4ac774c89d060dbfabd

    • SSDEEP

      49152:ME9iLsYFZK55qIeTnCp9XdeOzamT0q7bunoh4HRLYipbY9wty7pu2Y1gwsfWY/RN:J2+5JeYt/T06unoaHF77F3zOJGP12

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks