General

  • Target

    Windows.exe

  • Size

    6.3MB

  • Sample

    240908-238gbsseme

  • MD5

    cc70a5edd4a5a8db874c97d21119f59d

  • SHA1

    4b1d7b51e875a4b6aa05967459e17ea0d3286f39

  • SHA256

    4311121804332b647e02280a9c551c85c16a46f24f2d2107a9bdceaa8923afa1

  • SHA512

    f2806d7988073539723708821f0246021a77724c992901282036f77bdb57ddf7e495644d7f00c6f96fd3aa0fa65e6142ed9e823c2cab1474d41ee5bc083b2268

  • SSDEEP

    49152:fLoyz7eg9ZoHqhslHcVM665KHMSqhfDsdtQ6ll4NJzdeP03PeJXSA4QVit+g+5NH:fpUHcLMSFdtQsl4NNvauH3xfpjqX

Malware Config

Extracted

Family

cryptbot

C2

analforeverlovyu.top

thirtv13sb.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      Windows.exe

    • Size

      6.3MB

    • MD5

      cc70a5edd4a5a8db874c97d21119f59d

    • SHA1

      4b1d7b51e875a4b6aa05967459e17ea0d3286f39

    • SHA256

      4311121804332b647e02280a9c551c85c16a46f24f2d2107a9bdceaa8923afa1

    • SHA512

      f2806d7988073539723708821f0246021a77724c992901282036f77bdb57ddf7e495644d7f00c6f96fd3aa0fa65e6142ed9e823c2cab1474d41ee5bc083b2268

    • SSDEEP

      49152:fLoyz7eg9ZoHqhslHcVM665KHMSqhfDsdtQ6ll4NJzdeP03PeJXSA4QVit+g+5NH:fpUHcLMSFdtQsl4NNvauH3xfpjqX

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks