General

  • Target

    ae7bc6b6f6ecb206a7b957e4bb86e0d11845c5b2d9f7a00a482bef63b567ce4c.exe

  • Size

    6.3MB

  • Sample

    240911-l1vjpatgkl

  • MD5

    3b9d26d2e7433749f2c32edb13a2b0a2

  • SHA1

    969437df8f4ad08542ce8fc9831fc49a7765b7c5

  • SHA256

    ae7bc6b6f6ecb206a7b957e4bb86e0d11845c5b2d9f7a00a482bef63b567ce4c

  • SHA512

    51b95e19087d44f5dc4f8f3fb2cb1151f0b4dee7069bd1bfecdbe1db7326f9b44733a0eccf513ec9763d613f183ba7dc1184ce2f448591aa2e4234f823b1885e

  • SSDEEP

    98304:+ykOxJ8lTRRQIJ2ZL2T6T+TAt0vFxPCslwmvvsF9gn:+ykO38lT3D6qTZPCsle7gn

Malware Config

Extracted

Family

cryptbot

C2

thirtv13pn.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      ae7bc6b6f6ecb206a7b957e4bb86e0d11845c5b2d9f7a00a482bef63b567ce4c.exe

    • Size

      6.3MB

    • MD5

      3b9d26d2e7433749f2c32edb13a2b0a2

    • SHA1

      969437df8f4ad08542ce8fc9831fc49a7765b7c5

    • SHA256

      ae7bc6b6f6ecb206a7b957e4bb86e0d11845c5b2d9f7a00a482bef63b567ce4c

    • SHA512

      51b95e19087d44f5dc4f8f3fb2cb1151f0b4dee7069bd1bfecdbe1db7326f9b44733a0eccf513ec9763d613f183ba7dc1184ce2f448591aa2e4234f823b1885e

    • SSDEEP

      98304:+ykOxJ8lTRRQIJ2ZL2T6T+TAt0vFxPCslwmvvsF9gn:+ykO38lT3D6qTZPCsle7gn

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks