Extracted

• • Target

    file.exe

  • Size

    667KB

  • MD5

    bd71cacc925d19e97841949480825962

  • SHA1

    69e0bd8773accf91b5374af59394749624f21bc5

  • SHA256

    c0e25e1afb6e8457a95d10a96a7e97191821b698481f9c73cb8468e09723e15c

  • SHA512

    ae162ec70ccb8857f30eb22aae6b7bc3b851a246ff5e0418bef96f72569497cbf4fdb0200d5d9327e67be9f8c9f1353bc1c920854412c9b33aeb86ce0882b465

  • SSDEEP

    12288:CextvP96hExo7PTMoHbeMGpkEBuxubk6BXrwYewmBFml1ihhCJ4VLt8/nWnDEFX:CevP96hExIivkEW3WXkYdOFmPihIkt87

  Score

  10^/10

  cryptbotdiscoveryspywarestealerupx

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot payload

  • Cryptbot family

    cryptbot

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2

• • Target

    lv copy.exe

  • Size

    5.2MB

  • MD5

    d72e60a71c1d3b8cd8510261264f29f1

  • SHA1

    0d4cfe1fd9450f9e688f7c5f80f463b959131daa

  • SHA256

    0524df18b564697341478dd952698549a4bdf343ccc0035247d228e52d487be5

  • SHA512

    ecffe12aa5a30956232765e6420fe3a7503d5ef88d68dbec339109e4db9df1ebc45a17906c7d858064b519e9fd4eb29d092c12560c8464a576699a014881befd

  • SSDEEP

    98304:JUrGzKIv0B8uDCHRB9nX7aYNOR7vIN/p1xmfG0ROvHioVwFOBr4jpWH:JqGeIsB8uDCxTXWoOk/paGHHhV6AQA

  Score

  9^/10

  discoveryevasionspywarestealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral3behavioral4

• • Target

    $PLUGINSDIR/System.dll

  • Size

    11KB

  • MD5

    bf712f32249029466fa86756f5546950

  • SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

  • SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

  • SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

  • SSDEEP

    192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

  Score

  3^/10

  discovery
  behavioral5behavioral6

• • Target

    $PLUGINSDIR/UAC.dll

  • Size

    14KB

  • MD5

    adb29e6b186daa765dc750128649b63d

  • SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

  • SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

  • SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • SSDEEP

    192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

  Score

  3^/10

  discovery
  behavioral7behavioral8

• • Target

    $PLUGINSDIR/UserInfo.dll

  • Size

    4KB

  • MD5

    c7ce0e47c83525983fd2c4c9566b4aad

  • SHA1

    38b7ad7bb32ffae35540fce373b8a671878dc54e

  • SHA256

    6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

  • SHA512

    ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

  Score

  3^/10

  discovery
  behavioral10behavioral9

• • Target

    $PLUGINSDIR/nsDialogs.dll

  • Size

    9KB

  • MD5

    4ccc4a742d4423f2f0ed744fd9c81f63

  • SHA1

    704f00a1acc327fd879cf75fc90d0b8f927c36bc

  • SHA256

    416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

  • SHA512

    790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

  • SSDEEP

    192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

  Score

  3^/10

  discovery
  behavioral11behavioral12

• • Target

    4_ico.exe

  • Size

    1.7MB

  • MD5

    4b0a39a47c09c113c7cc19f22cbd390d

  • SHA1

    727e84f5048e40b5d9120bf55079ffdda1a053ba

  • SHA256

    3fcb3fc79d77343d4ef6e4cec384f4b4ecf7dc033d47c7bd5b5f0d5d539e2f28

  • SHA512

    82e810d0ecd9a20fa391ca09cf41c1f213cc154eb1e4db9f9f0929cef21a808b46551e14f5ae18e26d4ae463288747d3faab851bd9d984428a516441c30d6dc7

  • SSDEEP

    49152:9GMAa0IECU5NvVUGetbyqnqce+NDfwUIZto:MdIECU5JVUmggMopo

  Score

  9^/10

  discoveryevasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral13behavioral14

• • Target

    6_ico.exe

  • Size

    1.8MB

  • MD5

    ea76b0ed25810be48b08272f9655b05b

  • SHA1

    0c3c4bd83deac0bd5fbf13b1c3e51f88a59b6f58

  • SHA256

    d71d470b0aea1b94099395751178d2ef0068816a8a1c2638686e8063fd6adf59

  • SHA512

    ec4a766b712bbbb36a3f10ccae09babcea7e30e7f161d31365d09e5751b3c345d554f5a293dccdcb279704c9156aed3cd3de27efbf8edfa1b2d298b83050c1b9

  • SSDEEP

    49152:bdbKNY53O4scicpaWA6YV1VhTofJ1ZK3NCIMYrf/SXvap+Q2A9M:bINYMXcpaWA6YXnTQ1ZaNx7rf/SSpeA2

  Score

  9^/10

  discoveryevasionspywarestealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral15behavioral16

• • Target

    vpn_ico.exe

  • Size

    1.7MB

  • MD5

    bdb4c5b8c4c698e57631a3fa67609c7b

  • SHA1

    30152fadedf4f7dbbe9ffe59c9e45724a1bd790b

  • SHA256

    f50692b2d081d70f7f61acc5a412da98a76d62a2833630c0d9ce780c65369305

  • SHA512

    aac48cedfed3c22359eb0276912348879ad0d9552ff20ea03e87119f2c4bf79c232c3a6c519ff7c1ab82e8786a1ac2f1ff423fbf1a75018e8a216d6b60460d8e

  • SSDEEP

    24576:ZQuOSRRD6IHLmw6vZIjfX4T9S0PqJFdvCfQ+vPEjLolvvKLGxj:ZQAvHLX6SMT9xPqdCfQ+vsIlqK

  Score

  9^/10

  discoveryevasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral17behavioral18

• • Target

    lv.exe

  • Size

    5.4MB

  • MD5

    1b7cdcf968378f1570c403453548bdee

  • SHA1

    0b156f2887877e8044f6fd0419267fc6fd9073dd

  • SHA256

    fd8d41e704959eca30dd3561f04651a45ec4f5e6817ab9b1eeea7695164190cb

  • SHA512

    608866a339f0ba3e8159b23d3b2347071d3c475264c0e1f439a5bdf777073961db44d45ee1c26b5f74e48d943702f43e030deb751a2bca3092639558113f8327

  • SSDEEP

    98304:Sk7hFM/xP1NQVO3sD6JjfaqphAFvAoqnTtQrNtwsfyyQy8+cRZIMf2B9GzIEsmxn:5tFgZB3UESqpeFvAoqTtefyyQypGH2vc

  Score

  9^/10

  discoveryevasionspywarestealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral19behavioral20

• • Target

    $PLUGINSDIR/System.dll

  • Size

    11KB

  • MD5

    bf712f32249029466fa86756f5546950

  • SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

  • SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

  • SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

  • SSDEEP

    192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

  Score

  3^/10

  discovery
  behavioral21behavioral22

• • Target

    $PLUGINSDIR/UAC.dll

  • Size

    14KB

  • MD5

    adb29e6b186daa765dc750128649b63d

  • SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

  • SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

  • SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • SSDEEP

    192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

  Score

  3^/10

  discovery
  behavioral23behavioral24

• • Target

    $PLUGINSDIR/UserInfo.dll

  • Size

    4KB

  • MD5

    c7ce0e47c83525983fd2c4c9566b4aad

  • SHA1

    38b7ad7bb32ffae35540fce373b8a671878dc54e

  • SHA256

    6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

  • SHA512

    ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

  Score

  3^/10

  discovery
  behavioral25behavioral26

• • Target

    $PLUGINSDIR/nsDialogs.dll

  • Size

    9KB

  • MD5

    4ccc4a742d4423f2f0ed744fd9c81f63

  • SHA1

    704f00a1acc327fd879cf75fc90d0b8f927c36bc

  • SHA256

    416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

  • SHA512

    790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

  • SSDEEP

    192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

  Score

  3^/10

  discovery
  behavioral27behavioral28

• • Target

    4_ico.exe

  • Size

    1.8MB

  • MD5

    da509e5deddf831d53657daa6085ea0a

  • SHA1

    f1a38af68df429d77f81a5abbaec373e61dce0b0

  • SHA256

    7df6bdb1020248fbb52f6f8c62a8276a95f5d0bec293d21e0e390841cd408e85

  • SHA512

    a9af03ab6203bf87cc4165a551426d4b1fd7b40b98405bfe7c542c4f35af5f782192853de8614b9e32eac4cafba52431e080f36cdc2aaa865d110278eed2ec75

  • SSDEEP

    49152:28JNFmJtUSI8Retxbt5RXzlLQIrsJkg6ZvZ5:/J6Jti8Raxbt5Vz2IrUk93

  Score

  9^/10

  discoveryevasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral29behavioral30

• • Target

    6_ico.exe

  • Size

    1.9MB

  • MD5

    2eb51d3e2d13e8959ddc71ff8ee3aacd

  • SHA1

    a51e336a81b2f908ca64106c6a4f9ab2c506f540

  • SHA256

    13ff9c54fa7e2e665141c18d927f6c59ad50d9ae7c47ff4286f9859dfca65a91

  • SHA512

    c81f4ae9f0cddb46bcda6878336110852d7fd352a0e2eafa3645e80a6f177ca02984e52440a8204db49db1796277895c7985c922420245324994025e56d15e81

  • SSDEEP

    49152:AazhVU2HJgKY3gqVp13ki3WfMUIiDN6U9xQv:jaIGB3gqrFAIq6I6

  Score

  9^/10

  discoveryevasionspywarestealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral31behavioral32