General

  • Target

    43e41aec9e2c027a0316b7500f14b9d4.exe

  • Size

    4.2MB

  • Sample

    241218-ypvrjazlfz

  • MD5

    43e41aec9e2c027a0316b7500f14b9d4

  • SHA1

    599109f59debf7880dd9decfed047829241ac341

  • SHA256

    f5743915756451135c9902ae18aa3b6f3727cb2ac4444acef3f6b3daeab2982c

  • SHA512

    b8a53692dca178c97a5518317a8e3dbbce3d1535881d048530fba4f14719109b04ecd6bc6a98afaf0c67e077b49c69b87decd72c9adc7eb92245d9cb4f1867c7

  • SSDEEP

    98304:2O2iTB5COUtEiSi3k5wZCgNLc/0VZp62iDrArPZ8QmtNOaR2xd5:2OjT/Crxj0erLc/0/NCrJCt

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      43e41aec9e2c027a0316b7500f14b9d4.exe

    • Size

      4.2MB

    • MD5

      43e41aec9e2c027a0316b7500f14b9d4

    • SHA1

      599109f59debf7880dd9decfed047829241ac341

    • SHA256

      f5743915756451135c9902ae18aa3b6f3727cb2ac4444acef3f6b3daeab2982c

    • SHA512

      b8a53692dca178c97a5518317a8e3dbbce3d1535881d048530fba4f14719109b04ecd6bc6a98afaf0c67e077b49c69b87decd72c9adc7eb92245d9cb4f1867c7

    • SSDEEP

      98304:2O2iTB5COUtEiSi3k5wZCgNLc/0VZp62iDrArPZ8QmtNOaR2xd5:2OjT/Crxj0erLc/0/NCrJCt

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks