General

  • Target

    file.exe

  • Size

    6.4MB

  • Sample

    240910-trclhstfmh

  • MD5

    e52fc4b24fffbcde2ea11efb2efa1f08

  • SHA1

    72325a8b0d2796b6849d6f08305f295d15d5efab

  • SHA256

    95704aebba0511e4853ac25736a52048cb4f87b74df5ae42886602f9ca0f1808

  • SHA512

    9e9ab7a2fb15678f9c7492e17b24065cdb5a747bc595769b317810d9d908f1abb73f059e575bb34f358aff397eeedeb3b6bc15377c10679f5036cc04b32fe772

  • SSDEEP

    98304:e/vu1NXotYuJgvgfHxIL87vkxlCxRNsHYkX5:Ku1JRSYgvwXCxRNxkX5

Malware Config

Extracted

Family

cryptbot

C2

analforeverlovyu.top

fivev5pn.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      file.exe

    • Size

      6.4MB

    • MD5

      e52fc4b24fffbcde2ea11efb2efa1f08

    • SHA1

      72325a8b0d2796b6849d6f08305f295d15d5efab

    • SHA256

      95704aebba0511e4853ac25736a52048cb4f87b74df5ae42886602f9ca0f1808

    • SHA512

      9e9ab7a2fb15678f9c7492e17b24065cdb5a747bc595769b317810d9d908f1abb73f059e575bb34f358aff397eeedeb3b6bc15377c10679f5036cc04b32fe772

    • SSDEEP

      98304:e/vu1NXotYuJgvgfHxIL87vkxlCxRNsHYkX5:Ku1JRSYgvwXCxRNxkX5

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks