General

  • Target

    40147209edc2604a1d653bf65890c705939237f79a43ec544dfc74343777923c.exe

  • Size

    4.2MB

  • Sample

    241219-c6ntnatmey

  • MD5

    079795064f41b5e6be3580417649285b

  • SHA1

    25f3575baaf1808837cc6cefa61e340d5f6b8352

  • SHA256

    40147209edc2604a1d653bf65890c705939237f79a43ec544dfc74343777923c

  • SHA512

    dc0ec23df0f74aa4f6ee48b1e0a8b5c70067daade43090debc504f561cf75de92893f202c1eb28fef4f6bdb420fac1cac191a01fc4bad60ba8b7ed26fbd6beec

  • SSDEEP

    98304:4x4a5Y8VxDDHZFfgCnKTMEs20dMAKc1WNpq3E8rEVZbZW:Na5Y8Vx1FuTMEsXiTN800MZlW

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      40147209edc2604a1d653bf65890c705939237f79a43ec544dfc74343777923c.exe

    • Size

      4.2MB

    • MD5

      079795064f41b5e6be3580417649285b

    • SHA1

      25f3575baaf1808837cc6cefa61e340d5f6b8352

    • SHA256

      40147209edc2604a1d653bf65890c705939237f79a43ec544dfc74343777923c

    • SHA512

      dc0ec23df0f74aa4f6ee48b1e0a8b5c70067daade43090debc504f561cf75de92893f202c1eb28fef4f6bdb420fac1cac191a01fc4bad60ba8b7ed26fbd6beec

    • SSDEEP

      98304:4x4a5Y8VxDDHZFfgCnKTMEs20dMAKc1WNpq3E8rEVZbZW:Na5Y8Vx1FuTMEsXiTN800MZlW

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks