General

  • Target

    ebfe28cb77f3d1246693fa372420d022.exe

  • Size

    4.2MB

  • Sample

    241220-stlrjayrcm

  • MD5

    ebfe28cb77f3d1246693fa372420d022

  • SHA1

    f775bdf11301f3c1577668ae9245e1c22ab54ea6

  • SHA256

    fcf09a75838f976b2a8112606dee0912e662a5727822d8e349006299c3f6093a

  • SHA512

    dea11bcc617b17fd7bb050ef32c27f00a623f209d88df6c712d5cfc10c82141cc5ff8ec9507d0f8ec6bc8f8b675e105b1972264deab5a3fbc91c9f9b2ab80d9e

  • SSDEEP

    98304:jh5LEofZ8SpH2OOS9gqEGuqskgY07kVOURaGIqGpMu0AU:d9D7zOS9gqEGuqskgYZOURaGW

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      ebfe28cb77f3d1246693fa372420d022.exe

    • Size

      4.2MB

    • MD5

      ebfe28cb77f3d1246693fa372420d022

    • SHA1

      f775bdf11301f3c1577668ae9245e1c22ab54ea6

    • SHA256

      fcf09a75838f976b2a8112606dee0912e662a5727822d8e349006299c3f6093a

    • SHA512

      dea11bcc617b17fd7bb050ef32c27f00a623f209d88df6c712d5cfc10c82141cc5ff8ec9507d0f8ec6bc8f8b675e105b1972264deab5a3fbc91c9f9b2ab80d9e

    • SSDEEP

      98304:jh5LEofZ8SpH2OOS9gqEGuqskgY07kVOURaGIqGpMu0AU:d9D7zOS9gqEGuqskgYZOURaGW

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks