General

  • Target

    channel5.exe

  • Size

    6.3MB

  • Sample

    240907-k5l8fawdqr

  • MD5

    f76c413e2e42da259c5594db6d2ab4db

  • SHA1

    28480d08e96b968143424098489834c598c97f5c

  • SHA256

    492515dc984b30f544dc307ac462f02a76dbdff487fd873fe47bf3c5d26cdc8e

  • SHA512

    fbca5f7ee919b1d3b46c8a051ceb4f44b2a22c986ab7342469575ea37951db5acb0623bb18c635ba1d8dd87f8b059914829013b07c29cb416ddbddc3e6c2e08c

  • SSDEEP

    98304:kh1mIQzUtXZ7Ijhh2Wfs7YO/6/HRkRYhqaxuiomZX:khoWJZ78h2WtOi/HRkRYhNokX

Malware Config

Extracted

Family

cryptbot

C2

thirtv13pt.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      channel5.exe

    • Size

      6.3MB

    • MD5

      f76c413e2e42da259c5594db6d2ab4db

    • SHA1

      28480d08e96b968143424098489834c598c97f5c

    • SHA256

      492515dc984b30f544dc307ac462f02a76dbdff487fd873fe47bf3c5d26cdc8e

    • SHA512

      fbca5f7ee919b1d3b46c8a051ceb4f44b2a22c986ab7342469575ea37951db5acb0623bb18c635ba1d8dd87f8b059914829013b07c29cb416ddbddc3e6c2e08c

    • SSDEEP

      98304:kh1mIQzUtXZ7Ijhh2Wfs7YO/6/HRkRYhqaxuiomZX:khoWJZ78h2WtOi/HRkRYhNokX

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks