General
-
Target
build_5.exe
-
Size
13.1MB
-
Sample
240907-k2f71swenh
-
MD5
489841193bb17bed86528363199e802d
-
SHA1
b21527944d7f543b568aedbbe9833ffdb621b06a
-
SHA256
9e551b2304a6d8b72f38080a717d35900365dda5ce2aea2f2b14e90eba59cd7f
-
SHA512
85c250271c44ccafd753495356a9a1bd8d940a8c3443c51e1d8d1fbe1d79ab39226e9e18402b088ec340b05f45e0caeb8a2f7c195479e3b5e9cdbd23260405df
-
SSDEEP
393216:cbPmYRQK7+zaDD3OhQfuSL3bMz0plnztTQCFMmKcZ:cbrRQtW6QmIAmln1QCFT
Behavioral task
behavioral1
Sample
build_5.exe
Resource
win7-20240903-en
Malware Config
Extracted
cryptbot
thirtv13pt.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Targets
-
-
Target
build_5.exe
-
Size
13.1MB
-
MD5
489841193bb17bed86528363199e802d
-
SHA1
b21527944d7f543b568aedbbe9833ffdb621b06a
-
SHA256
9e551b2304a6d8b72f38080a717d35900365dda5ce2aea2f2b14e90eba59cd7f
-
SHA512
85c250271c44ccafd753495356a9a1bd8d940a8c3443c51e1d8d1fbe1d79ab39226e9e18402b088ec340b05f45e0caeb8a2f7c195479e3b5e9cdbd23260405df
-
SSDEEP
393216:cbPmYRQK7+zaDD3OhQfuSL3bMz0plnztTQCFMmKcZ:cbrRQtW6QmIAmln1QCFT
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1