General

  • Target

    file.exe

  • Size

    4.2MB

  • Sample

    241120-fc3mhasbkj

  • MD5

    8b5772c3c7cb47028b95108d7fd6ee81

  • SHA1

    76e6c0f7557aa2701bfa33adab0ccf369a32339b

  • SHA256

    d5dd5c9aad3e2875ce4712d199d90ce363f0f36d809638c3476a06ea3cfa455a

  • SHA512

    7d4be6396f4d4bedff7fa5c32c28fcdbd39242c0d528894123e7e60e50897528b23454fecfd5ef48968bcc0e4034091a41e112f8717135c7b8fad0bbd24c2ff2

  • SSDEEP

    98304:9l/ThMbmUryZJ4GGRqD5MMGXZYoOcaP+H5RfVmq1V4Dxy0r0yYiZTk0:9Nubm9aGG+5MM6daP+ZRfVbV6xB0yY

Malware Config

Targets

    • Target

      file.exe

    • Size

      4.2MB

    • MD5

      8b5772c3c7cb47028b95108d7fd6ee81

    • SHA1

      76e6c0f7557aa2701bfa33adab0ccf369a32339b

    • SHA256

      d5dd5c9aad3e2875ce4712d199d90ce363f0f36d809638c3476a06ea3cfa455a

    • SHA512

      7d4be6396f4d4bedff7fa5c32c28fcdbd39242c0d528894123e7e60e50897528b23454fecfd5ef48968bcc0e4034091a41e112f8717135c7b8fad0bbd24c2ff2

    • SSDEEP

      98304:9l/ThMbmUryZJ4GGRqD5MMGXZYoOcaP+H5RfVmq1V4Dxy0r0yYiZTk0:9Nubm9aGG+5MM6daP+ZRfVbV6xB0yY

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Detects CryptBot payload

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks