General

  • Target

    273813e96ea6dad4fdbeb9d791929caf69b193f488d9adc7cf66cf00a8b5b098

  • Size

    4.2MB

  • Sample

    241122-w7fdfswkgx

  • MD5

    7dfd0e3781e268e2e6d5f6e8712455fb

  • SHA1

    beb4b1e543d14e26c3ddccfe324eb8f3ba67194f

  • SHA256

    273813e96ea6dad4fdbeb9d791929caf69b193f488d9adc7cf66cf00a8b5b098

  • SHA512

    fe62997c3cde4125871681f8c85986e5f598cd6e03cdf76d916cf228ff85bbbd56450fed2585837b48f74167e0d8404e7e247d9087be5dad41d67cd391b2e57d

  • SSDEEP

    98304:79pUUv3qR8haBIQxhHppPaNv55OvJef17oHW+youabEWw:79vPS8haBIQrqNRee6VyXabED

Malware Config

Targets

    • Target

      273813e96ea6dad4fdbeb9d791929caf69b193f488d9adc7cf66cf00a8b5b098

    • Size

      4.2MB

    • MD5

      7dfd0e3781e268e2e6d5f6e8712455fb

    • SHA1

      beb4b1e543d14e26c3ddccfe324eb8f3ba67194f

    • SHA256

      273813e96ea6dad4fdbeb9d791929caf69b193f488d9adc7cf66cf00a8b5b098

    • SHA512

      fe62997c3cde4125871681f8c85986e5f598cd6e03cdf76d916cf228ff85bbbd56450fed2585837b48f74167e0d8404e7e247d9087be5dad41d67cd391b2e57d

    • SSDEEP

      98304:79pUUv3qR8haBIQxhHppPaNv55OvJef17oHW+youabEWw:79vPS8haBIQrqNRee6VyXabED

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Detects CryptBot payload

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks