General

  • Target

    60cb08aff943753c526cf73fd6007489.exe

  • Size

    4.2MB

  • Sample

    241219-hslp2avjer

  • MD5

    60cb08aff943753c526cf73fd6007489

  • SHA1

    82a65e58388a24fa079f644e574b5a26512d1078

  • SHA256

    5a1e55df322d7f0f410e19bda46827def8374605479fe22d16c921c36751ec96

  • SHA512

    e6cadb0cb30f8c37e8d20f8448952ded9ef9501ad03e059f6140e70f82fc8d3ce12033a7d8887b4793145b2c7d4279d71df02e2ad8ea4a4d973384973e7a1aa9

  • SSDEEP

    98304:+TiQFMObNwi4HDXYIeeRGLsAR5G5zVoOLU104TjQ6jY7:+TNjwvjVeeRicdLU1BTjQ6s

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      60cb08aff943753c526cf73fd6007489.exe

    • Size

      4.2MB

    • MD5

      60cb08aff943753c526cf73fd6007489

    • SHA1

      82a65e58388a24fa079f644e574b5a26512d1078

    • SHA256

      5a1e55df322d7f0f410e19bda46827def8374605479fe22d16c921c36751ec96

    • SHA512

      e6cadb0cb30f8c37e8d20f8448952ded9ef9501ad03e059f6140e70f82fc8d3ce12033a7d8887b4793145b2c7d4279d71df02e2ad8ea4a4d973384973e7a1aa9

    • SSDEEP

      98304:+TiQFMObNwi4HDXYIeeRGLsAR5G5zVoOLU104TjQ6jY7:+TNjwvjVeeRicdLU1BTjQ6s

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks