General

  • Target

    85dfa304a2f5b3b7b45a7e8e782d521a0d999fe7a1c4906166b80491c5ff9462

  • Size

    6.3MB

  • Sample

    240907-xy537asepd

  • MD5

    7fcb6e3cc96ac58f0451716c0c79b9bd

  • SHA1

    504e3ffea9f303319b13e4c25fec4d312186b77c

  • SHA256

    85dfa304a2f5b3b7b45a7e8e782d521a0d999fe7a1c4906166b80491c5ff9462

  • SHA512

    6b23f0e1b8ea45b34b68004b42fb467bb85e4a5f81f3fd0fe81e8919f66ee31c5f4c9563fa5e74cf98f5d47cb1876e719fdd5728d0b3f9772a078cb2d34a6d05

  • SSDEEP

    49152:I04465dqWX8xhJXK4G+Ey1oIpULJbXvy3kKnk+fLes54oCXWnL/G3NX0FcZJwMq5:I6yJb+hTeaRrTG3NEFcMM0MSAN/S

Malware Config

Extracted

Family

cryptbot

C2

siv6sb.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      85dfa304a2f5b3b7b45a7e8e782d521a0d999fe7a1c4906166b80491c5ff9462

    • Size

      6.3MB

    • MD5

      7fcb6e3cc96ac58f0451716c0c79b9bd

    • SHA1

      504e3ffea9f303319b13e4c25fec4d312186b77c

    • SHA256

      85dfa304a2f5b3b7b45a7e8e782d521a0d999fe7a1c4906166b80491c5ff9462

    • SHA512

      6b23f0e1b8ea45b34b68004b42fb467bb85e4a5f81f3fd0fe81e8919f66ee31c5f4c9563fa5e74cf98f5d47cb1876e719fdd5728d0b3f9772a078cb2d34a6d05

    • SSDEEP

      49152:I04465dqWX8xhJXK4G+Ey1oIpULJbXvy3kKnk+fLes54oCXWnL/G3NX0FcZJwMq5:I6yJb+hTeaRrTG3NEFcMM0MSAN/S

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks