General

  • Target

    61039d97d478405525707e3c0b4b3003.exe

  • Size

    4.2MB

  • Sample

    241220-sqkp3ayjhs

  • MD5

    61039d97d478405525707e3c0b4b3003

  • SHA1

    501cf467cd61ca88a1e0991c2d7899a97237d8ff

  • SHA256

    be39f15bfaeb90c138dbbc06f647ba537c5b451459343b9ef2a5583c0a02a89c

  • SHA512

    d08d9262de6777f0b9f7d010462ec669d3f58cc202c528ca8caac9c9611a50629ee3c311abc3689fa7ce2e52eb1dacc17b3e9f0aac61ffa6f924e903879d74ee

  • SSDEEP

    98304:rJjB8hwcXiocct8XrfDDUR8o7iPiyg9GrLi+3OgQp8odxsw53Er:t+WE8Xr0Rt7crg9Gu+3OgQQw

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      61039d97d478405525707e3c0b4b3003.exe

    • Size

      4.2MB

    • MD5

      61039d97d478405525707e3c0b4b3003

    • SHA1

      501cf467cd61ca88a1e0991c2d7899a97237d8ff

    • SHA256

      be39f15bfaeb90c138dbbc06f647ba537c5b451459343b9ef2a5583c0a02a89c

    • SHA512

      d08d9262de6777f0b9f7d010462ec669d3f58cc202c528ca8caac9c9611a50629ee3c311abc3689fa7ce2e52eb1dacc17b3e9f0aac61ffa6f924e903879d74ee

    • SSDEEP

      98304:rJjB8hwcXiocct8XrfDDUR8o7iPiyg9GrLi+3OgQp8odxsw53Er:t+WE8Xr0Rt7crg9Gu+3OgQQw

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks