General

  • Target

    build_3.exe

  • Size

    13.1MB

  • Sample

    240907-kzldyswbqn

  • MD5

    b543ea03b1260c29849e083bc5f9d804

  • SHA1

    9171c26503db121d16493bf8f25ec1dee6ddfaeb

  • SHA256

    9bf4addec6787aef2292e1f9dad3172c2495605d67f26554fb696e5d17b7e4f3

  • SHA512

    653f8ad835c05016b360794948b9d0b488fa898b2c8cf360f940b1d4c48d897cd437ed8676a2a5c604c29d5709bd3e83015ea97af6ad6115c22e3b1c6c8e9ce7

  • SSDEEP

    393216:ObPmYRQK7+zaDD3OhQfuSL3bMz0plnztTQCFMmKcZ:ObrRQtW6QmIAmln1QCFT

Malware Config

Extracted

Family

cryptbot

C2

thirtv13pt.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      build_3.exe

    • Size

      13.1MB

    • MD5

      b543ea03b1260c29849e083bc5f9d804

    • SHA1

      9171c26503db121d16493bf8f25ec1dee6ddfaeb

    • SHA256

      9bf4addec6787aef2292e1f9dad3172c2495605d67f26554fb696e5d17b7e4f3

    • SHA512

      653f8ad835c05016b360794948b9d0b488fa898b2c8cf360f940b1d4c48d897cd437ed8676a2a5c604c29d5709bd3e83015ea97af6ad6115c22e3b1c6c8e9ce7

    • SSDEEP

      393216:ObPmYRQK7+zaDD3OhQfuSL3bMz0plnztTQCFMmKcZ:ObrRQtW6QmIAmln1QCFT

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks