General

  • Target

    32353fd729d2709ff0f7fbd5af5d38b1.exe

  • Size

    4.3MB

  • Sample

    241219-h5jffavpdm

  • MD5

    32353fd729d2709ff0f7fbd5af5d38b1

  • SHA1

    bd2666a194111152ed802d4c5ae96f5ecc6f61c3

  • SHA256

    506a9cff027877d2344079b59c90ed5cd5f85225ede2828ce2a9aaf0c22cd329

  • SHA512

    09f8cf2c288453d75d0ef19065f62791bbdd7a5fe1f91294db23025b9f394f9edcaae3c4451b2ce6807f0bdd9b39a977a5905a6aa44b9ba6ab39b162486839b7

  • SSDEEP

    98304:MguHODsiLajDAxR0JTwvlJR8UccWrZksZEVP:aHOsiLvR0JYl4Z

Malware Config

Extracted

Family

cryptbot

C2

http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734

Targets

    • Target

      32353fd729d2709ff0f7fbd5af5d38b1.exe

    • Size

      4.3MB

    • MD5

      32353fd729d2709ff0f7fbd5af5d38b1

    • SHA1

      bd2666a194111152ed802d4c5ae96f5ecc6f61c3

    • SHA256

      506a9cff027877d2344079b59c90ed5cd5f85225ede2828ce2a9aaf0c22cd329

    • SHA512

      09f8cf2c288453d75d0ef19065f62791bbdd7a5fe1f91294db23025b9f394f9edcaae3c4451b2ce6807f0bdd9b39a977a5905a6aa44b9ba6ab39b162486839b7

    • SSDEEP

      98304:MguHODsiLajDAxR0JTwvlJR8UccWrZksZEVP:aHOsiLvR0JYl4Z

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks