General

  • Target

    d1f1891332480d2aebf175fb230eb818fc1de151f8cb6e860b9822351fdc9b0b

  • Size

    4.3MB

  • Sample

    241217-tdmjkatmcm

  • MD5

    2c719f77b7093d405c076ea8e1cecb89

  • SHA1

    ff8da0285514de691aa3b14f51b0224a9363054f

  • SHA256

    d1f1891332480d2aebf175fb230eb818fc1de151f8cb6e860b9822351fdc9b0b

  • SHA512

    2da4a1060b0d7242cd5cc673aee55502e2424a657d68d0971ceb5be2d496cb4c817ccd00800bc66ea37c9df6f587f211f1dbef3d6487d20e53bdeaf782f261a2

  • SSDEEP

    98304:hNPJZxwI+lziiNknS9V7Myj6vaoBAPS/+7NmyX4905qqomi:hNPP+ImzDNkSH7cCoCPS/juVi

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      d1f1891332480d2aebf175fb230eb818fc1de151f8cb6e860b9822351fdc9b0b

    • Size

      4.3MB

    • MD5

      2c719f77b7093d405c076ea8e1cecb89

    • SHA1

      ff8da0285514de691aa3b14f51b0224a9363054f

    • SHA256

      d1f1891332480d2aebf175fb230eb818fc1de151f8cb6e860b9822351fdc9b0b

    • SHA512

      2da4a1060b0d7242cd5cc673aee55502e2424a657d68d0971ceb5be2d496cb4c817ccd00800bc66ea37c9df6f587f211f1dbef3d6487d20e53bdeaf782f261a2

    • SSDEEP

      98304:hNPJZxwI+lziiNknS9V7Myj6vaoBAPS/+7NmyX4905qqomi:hNPP+ImzDNkSH7cCoCPS/juVi

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks