General
-
Target
build_3.exe
-
Size
13.1MB
-
Sample
240907-kzldyswbqn
-
MD5
b543ea03b1260c29849e083bc5f9d804
-
SHA1
9171c26503db121d16493bf8f25ec1dee6ddfaeb
-
SHA256
9bf4addec6787aef2292e1f9dad3172c2495605d67f26554fb696e5d17b7e4f3
-
SHA512
653f8ad835c05016b360794948b9d0b488fa898b2c8cf360f940b1d4c48d897cd437ed8676a2a5c604c29d5709bd3e83015ea97af6ad6115c22e3b1c6c8e9ce7
-
SSDEEP
393216:ObPmYRQK7+zaDD3OhQfuSL3bMz0plnztTQCFMmKcZ:ObrRQtW6QmIAmln1QCFT
Behavioral task
behavioral1
Sample
build_3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
build_3.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
cryptbot
thirtv13pt.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Targets
-
-
Target
build_3.exe
-
Size
13.1MB
-
MD5
b543ea03b1260c29849e083bc5f9d804
-
SHA1
9171c26503db121d16493bf8f25ec1dee6ddfaeb
-
SHA256
9bf4addec6787aef2292e1f9dad3172c2495605d67f26554fb696e5d17b7e4f3
-
SHA512
653f8ad835c05016b360794948b9d0b488fa898b2c8cf360f940b1d4c48d897cd437ed8676a2a5c604c29d5709bd3e83015ea97af6ad6115c22e3b1c6c8e9ce7
-
SSDEEP
393216:ObPmYRQK7+zaDD3OhQfuSL3bMz0plnztTQCFMmKcZ:ObrRQtW6QmIAmln1QCFT
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1