General

  • Target

    build_5.exe

  • Size

    13.1MB

  • Sample

    240907-k2f71swenh

  • MD5

    489841193bb17bed86528363199e802d

  • SHA1

    b21527944d7f543b568aedbbe9833ffdb621b06a

  • SHA256

    9e551b2304a6d8b72f38080a717d35900365dda5ce2aea2f2b14e90eba59cd7f

  • SHA512

    85c250271c44ccafd753495356a9a1bd8d940a8c3443c51e1d8d1fbe1d79ab39226e9e18402b088ec340b05f45e0caeb8a2f7c195479e3b5e9cdbd23260405df

  • SSDEEP

    393216:cbPmYRQK7+zaDD3OhQfuSL3bMz0plnztTQCFMmKcZ:cbrRQtW6QmIAmln1QCFT

Malware Config

Extracted

Family

cryptbot

C2

thirtv13pt.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      build_5.exe

    • Size

      13.1MB

    • MD5

      489841193bb17bed86528363199e802d

    • SHA1

      b21527944d7f543b568aedbbe9833ffdb621b06a

    • SHA256

      9e551b2304a6d8b72f38080a717d35900365dda5ce2aea2f2b14e90eba59cd7f

    • SHA512

      85c250271c44ccafd753495356a9a1bd8d940a8c3443c51e1d8d1fbe1d79ab39226e9e18402b088ec340b05f45e0caeb8a2f7c195479e3b5e9cdbd23260405df

    • SSDEEP

      393216:cbPmYRQK7+zaDD3OhQfuSL3bMz0plnztTQCFMmKcZ:cbrRQtW6QmIAmln1QCFT

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks