General

  • Target

    3fbe557c7ec8409f30604b0f5e365f70.exe

  • Size

    4.2MB

  • Sample

    241220-shya7aypel

  • MD5

    3fbe557c7ec8409f30604b0f5e365f70

  • SHA1

    00d9f4548c93be387f68c1b7aeedcf4c75873b60

  • SHA256

    f4e7b423983d4606cb9a72876f57c870884b40556ab6ea3da498d69e02acacab

  • SHA512

    802d3925592429a116f24c5a35723f030ea6fc4924dc201eb69a09bfeda57aac3e0c2246d0e213d131b888515936c31d13c03fd6c32c2d091a3ddc2437c1642d

  • SSDEEP

    98304:Lcv0DvP7v4m0C6OkeSEj18aRZTZgE5CT+zM:/vjgmj36Ej931guCT

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      3fbe557c7ec8409f30604b0f5e365f70.exe

    • Size

      4.2MB

    • MD5

      3fbe557c7ec8409f30604b0f5e365f70

    • SHA1

      00d9f4548c93be387f68c1b7aeedcf4c75873b60

    • SHA256

      f4e7b423983d4606cb9a72876f57c870884b40556ab6ea3da498d69e02acacab

    • SHA512

      802d3925592429a116f24c5a35723f030ea6fc4924dc201eb69a09bfeda57aac3e0c2246d0e213d131b888515936c31d13c03fd6c32c2d091a3ddc2437c1642d

    • SSDEEP

      98304:Lcv0DvP7v4m0C6OkeSEj18aRZTZgE5CT+zM:/vjgmj36Ej931guCT

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks