General
-
Target
https://href.li/?https://cdn.discordapp.com/attachments/1274762477992673427/1293654488468684800/picofreeloadingversion.zip?ex=67082920&is=6706d7a0&hm=d0beaf8db7ba5c0fef363e6554f52a2a9da8bd71ff476239659f0c78b36c8f31&
-
Sample
241010-bzc8xatekh
Malware Config
Targets
-
-
Target
https://href.li/?https://cdn.discordapp.com/attachments/1274762477992673427/1293654488468684800/picofreeloadingversion.zip?ex=67082920&is=6706d7a0&hm=d0beaf8db7ba5c0fef363e6554f52a2a9da8bd71ff476239659f0c78b36c8f31&
Score10/10-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Detects CryptBot payload
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Creates new service(s)
-
Event Triggered Execution: Image File Execution Options Injection
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1