General

  • Target

    ⟹-ⓞ#ⓞLa-t-e$-st-#-Se-t-up-#-PAs$sc0dE-#ⓞ9192ⓞ#-⟸.zip

  • Size

    20.2MB

  • Sample

    240906-xzfjxstdkp

  • MD5

    71aede4516b8e7f9361f38c5e11a9cc5

  • SHA1

    dba853dc7fb28c4da5cfbdd2a11a7bf5ee67326e

  • SHA256

    8db5af786475fd163cb4fb80396123c6e2a6ed403a7b6a8259719745a1f4779a

  • SHA512

    aad82b7724ced73f853c9e5ab0b1d22341a2699ccb3af60b3dfd3300687bf71290dea557a668e9288e150dae8ee8135bb78cde3edbff011077f6b9b65ad1a0ba

  • SSDEEP

    393216:sHmG4h93kkgugoJOUHDthdTT7V/tDYMyveikAGO9DcTp:h7hyBugqTT/H6nGOFsp

Malware Config

Extracted

Family

cryptbot

C2

forv14pt.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      ⟹-ⓞ#ⓞLa-t-e$-st-#-Se-t-up-#-PAs$sc0dE-#ⓞ9192ⓞ#-⟸/⟹-ⓞ#ⓞLa-t-e$-st-#-Se-t-up-#-PAs$sc0dE-#ⓞ9192ⓞ#-⟸.rar

    • Size

      20.2MB

    • MD5

      b0088132e07006d811fa0cad898b64c1

    • SHA1

      21aa01005fe6e9c53c030bca59250ab88c301a5f

    • SHA256

      2cd7984b6226f9fe5542b6083e2552b37df78b9160e1549ee330a96f93ac2ffc

    • SHA512

      30235cb2e9d6fb1085f943a0f8a4e33c153e79262258d149383014d6e402fb4d076d7024c829eb48465b0bbb79a7ae3dd357c8c7620eea954767d3f04a1ff6eb

    • SSDEEP

      393216:nHmG4h93kkgugoJOUHDthdTT7V/tDYMyveikAGO9DcT2:G7hyBugqTT/H6nGOFs2

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks