Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8bb4998023c0ac68ac8d9e74a33f118bf4d455820c0eeec5362488fa522bc919

  • Size

    168KB

  • Sample

    240913-znr5payapn

  • MD5

    b8e82130e396e582c9cfe1a53b7351b4

  • SHA1

    e3d250ea0126c83e253cb370bcc42ed2000189fc

  • SHA256

    8bb4998023c0ac68ac8d9e74a33f118bf4d455820c0eeec5362488fa522bc919

  • SHA512

    15c78c942f5b55bfe7d51d78efd90a7b127819d568d620f8c93fcb54b27590f562f7a73fbec459a8d431bb14074b8d34674e08b099777de0fef500ad50567763

  • SSDEEP

    3072:6gwHbLNuV8Lc4BEZ9qJxCD/wi6PXs/rfynLbYTlEHm1o5qYTGHjf50T8wGPs:2bLcGI4iTyx2J4LIEG1sqhV0oX

Score
10/10
cryptbotcredential_accessdefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

thirtvd13pt.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      8bb4998023c0ac68ac8d9e74a33f118bf4d455820c0eeec5362488fa522bc919

    • Size

      168KB

    • MD5

      b8e82130e396e582c9cfe1a53b7351b4

    • SHA1

      e3d250ea0126c83e253cb370bcc42ed2000189fc

    • SHA256

      8bb4998023c0ac68ac8d9e74a33f118bf4d455820c0eeec5362488fa522bc919

    • SHA512

      15c78c942f5b55bfe7d51d78efd90a7b127819d568d620f8c93fcb54b27590f562f7a73fbec459a8d431bb14074b8d34674e08b099777de0fef500ad50567763

    • SSDEEP

      3072:6gwHbLNuV8Lc4BEZ9qJxCD/wi6PXs/rfynLbYTlEHm1o5qYTGHjf50T8wGPs:2bLcGI4iTyx2J4LIEG1sqhV0oX

    Score
    10/10
    cryptbotcredential_accessdefense_evasiondiscoveryexecutionspywarestealer

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks