General

  • Target

    aa1d9bfcb4fee4ff65cf6209fbc83204.exe

  • Size

    4.3MB

  • Sample

    241219-h5425svpfp

  • MD5

    aa1d9bfcb4fee4ff65cf6209fbc83204

  • SHA1

    3334182b3bf48e928683a9c0a87d25ea57e8d70b

  • SHA256

    dc645ba585c2d41ec553cefd46bd3dab212882cb07097905f9ed071e8882b161

  • SHA512

    aec316f0ea02349b57a5e75a972edf70b8aea705a7c74f67452a5840834fca0cf70c3d099ca003bab73a25186e6f03298ea68440a03216fb40ece74b82f71d68

  • SSDEEP

    98304:TY4QNoH37vLuyZo7QyuTTGlo/ZyCSCPz3Xf00MpmZxaWK9Ye3r:U453/ukyu3LZyjyzf9MmyWs/3r

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      aa1d9bfcb4fee4ff65cf6209fbc83204.exe

    • Size

      4.3MB

    • MD5

      aa1d9bfcb4fee4ff65cf6209fbc83204

    • SHA1

      3334182b3bf48e928683a9c0a87d25ea57e8d70b

    • SHA256

      dc645ba585c2d41ec553cefd46bd3dab212882cb07097905f9ed071e8882b161

    • SHA512

      aec316f0ea02349b57a5e75a972edf70b8aea705a7c74f67452a5840834fca0cf70c3d099ca003bab73a25186e6f03298ea68440a03216fb40ece74b82f71d68

    • SSDEEP

      98304:TY4QNoH37vLuyZo7QyuTTGlo/ZyCSCPz3Xf00MpmZxaWK9Ye3r:U453/ukyu3LZyjyzf9MmyWs/3r

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks