General

  • Target

    40b436c682b2055091fe80c8809ed127e783cb934a1cf342d84db7dac9df6463

  • Size

    6.4MB

  • Sample

    240909-1lstwatena

  • MD5

    14000093998e963dcccc98a7162574c4

  • SHA1

    52e5c0d7fd74a697740f3780f17ca12dd526a295

  • SHA256

    40b436c682b2055091fe80c8809ed127e783cb934a1cf342d84db7dac9df6463

  • SHA512

    562032fab6549498083bbbea8be678731902083f47f02a856ca4e31391c15cc16ee9ee16c164242cef333d505c8ebf56060a3a6161d3dc6926d229e644fa6f3c

  • SSDEEP

    98304:fBDzmHzcbKRVojDs5lfPKtVQ2rGNG6qUXynD4nuSDDC:JEzXQ/sfPCQ2rGNMFnD4HDC

Malware Config

Extracted

Family

cryptbot

C2

siv6pn.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      40b436c682b2055091fe80c8809ed127e783cb934a1cf342d84db7dac9df6463

    • Size

      6.4MB

    • MD5

      14000093998e963dcccc98a7162574c4

    • SHA1

      52e5c0d7fd74a697740f3780f17ca12dd526a295

    • SHA256

      40b436c682b2055091fe80c8809ed127e783cb934a1cf342d84db7dac9df6463

    • SHA512

      562032fab6549498083bbbea8be678731902083f47f02a856ca4e31391c15cc16ee9ee16c164242cef333d505c8ebf56060a3a6161d3dc6926d229e644fa6f3c

    • SSDEEP

      98304:fBDzmHzcbKRVojDs5lfPKtVQ2rGNG6qUXynD4nuSDDC:JEzXQ/sfPCQ2rGNMFnD4HDC

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks