General

  • Target

    e34a61e1e9a3ba9dee9dcffc185f13d26427bb0168e1ec4c4fe1e61b3b5d9f1d.exe

  • Size

    4.2MB

  • Sample

    241219-exqyrsxpa1

  • MD5

    0b0b89846c005a9c7087e8272294ea86

  • SHA1

    cdd2b18e741ea6936bf32c642b11f3e676f58a1a

  • SHA256

    e34a61e1e9a3ba9dee9dcffc185f13d26427bb0168e1ec4c4fe1e61b3b5d9f1d

  • SHA512

    e62cff68f9f768242a5a87eed2193db4c77e22753354abde81417b841da34a1e0e637efe6cdb4d4ed852fe547d90d7d0ed01d72d6a1d5c02ceb6ef3a7b4ee676

  • SSDEEP

    98304:abRFXfzCAscSbMGXLQqSFyYSpnHXDo0QeiFnjfUbWxnU5C:a7XWAuX8RA3Do0DmjfUKO

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      e34a61e1e9a3ba9dee9dcffc185f13d26427bb0168e1ec4c4fe1e61b3b5d9f1d.exe

    • Size

      4.2MB

    • MD5

      0b0b89846c005a9c7087e8272294ea86

    • SHA1

      cdd2b18e741ea6936bf32c642b11f3e676f58a1a

    • SHA256

      e34a61e1e9a3ba9dee9dcffc185f13d26427bb0168e1ec4c4fe1e61b3b5d9f1d

    • SHA512

      e62cff68f9f768242a5a87eed2193db4c77e22753354abde81417b841da34a1e0e637efe6cdb4d4ed852fe547d90d7d0ed01d72d6a1d5c02ceb6ef3a7b4ee676

    • SSDEEP

      98304:abRFXfzCAscSbMGXLQqSFyYSpnHXDo0QeiFnjfUbWxnU5C:a7XWAuX8RA3Do0DmjfUKO

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks