General

  • Target

    7631726b15a0cba30f88268df626df7a053c044efc78f772ade21e879cc7ae58.exe

  • Size

    928KB

  • Sample

    240911-jlfe4szaqn

  • MD5

    01accb84e0b33d25bc3436bfc43dd226

  • SHA1

    edb4cea78cfe9eeccff13dcd669cceaa8cf62c38

  • SHA256

    7631726b15a0cba30f88268df626df7a053c044efc78f772ade21e879cc7ae58

  • SHA512

    c64e16a93dd739e5a4ac3d420c97961207fb21409f792853effc1be9e5d2ed05b4bb11475330aa15c5c7228da1dd78fc7446bd1c92b99da0ff3ae163a2734558

  • SSDEEP

    12288:pLsLcP1Ai09bpspcAqHz+qLPOek+V5g/u4LHHMMjrxQo8LMsaEIux8U+lBkZddj:yLc92psKAq6ITV5vGbao8LSEI28

Malware Config

Extracted

Family

cryptbot

C2

thirtv13pn.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      7631726b15a0cba30f88268df626df7a053c044efc78f772ade21e879cc7ae58.exe

    • Size

      928KB

    • MD5

      01accb84e0b33d25bc3436bfc43dd226

    • SHA1

      edb4cea78cfe9eeccff13dcd669cceaa8cf62c38

    • SHA256

      7631726b15a0cba30f88268df626df7a053c044efc78f772ade21e879cc7ae58

    • SHA512

      c64e16a93dd739e5a4ac3d420c97961207fb21409f792853effc1be9e5d2ed05b4bb11475330aa15c5c7228da1dd78fc7446bd1c92b99da0ff3ae163a2734558

    • SSDEEP

      12288:pLsLcP1Ai09bpspcAqHz+qLPOek+V5g/u4LHHMMjrxQo8LMsaEIux8U+lBkZddj:yLc92psKAq6ITV5vGbao8LSEI28

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Modifies Windows Defender Real-time Protection settings

    • Windows security bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks