General

  • Target

    3287ce2d6be3f77c5d1e7cc351f4ad5f.exe

  • Size

    4.3MB

  • Sample

    241218-yshals1kfp

  • MD5

    3287ce2d6be3f77c5d1e7cc351f4ad5f

  • SHA1

    d9f04b9c1d610402c10c27772169d9e911d9adf5

  • SHA256

    7619900af0011cd2b40be259c52acf7e7415532d002a09267bcfb823ea1f38c4

  • SHA512

    f3f99e918f412a511c1324e89359645a37933f855b3da5214611906b861203ae6aad20dab6e04ee5bae3fa134ae604ce61c08f9de3cd2718fb1090f193477d95

  • SSDEEP

    98304:mUq/Rjfin/BjlBFxg28sXGOID18Radfg85LhEPse:mUyjeBjDFxg28UGO+9guhas

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      3287ce2d6be3f77c5d1e7cc351f4ad5f.exe

    • Size

      4.3MB

    • MD5

      3287ce2d6be3f77c5d1e7cc351f4ad5f

    • SHA1

      d9f04b9c1d610402c10c27772169d9e911d9adf5

    • SHA256

      7619900af0011cd2b40be259c52acf7e7415532d002a09267bcfb823ea1f38c4

    • SHA512

      f3f99e918f412a511c1324e89359645a37933f855b3da5214611906b861203ae6aad20dab6e04ee5bae3fa134ae604ce61c08f9de3cd2718fb1090f193477d95

    • SSDEEP

      98304:mUq/Rjfin/BjlBFxg28sXGOID18Radfg85LhEPse:mUyjeBjDFxg28UGO+9guhas

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks