General

  • Target

    8d66e41b9670d3890741fea8536846630e8a0a9aaac7a8858cdd6fec59e71be6.exe

  • Size

    4.3MB

  • Sample

    241224-fv4mhs1rax

  • MD5

    73f68155f6230d9108727743c020e3b9

  • SHA1

    c424e5d1d5310588b154fd4f9e440a6f8972cbe4

  • SHA256

    8d66e41b9670d3890741fea8536846630e8a0a9aaac7a8858cdd6fec59e71be6

  • SHA512

    fca81963b539c4cb8d43ef09de5977d442b044ef5bb4986cb98913bfd967c8271802f64ad3153b749f8c06f7296e75047b69b5e27665ea57d0f54ce90e0bdc91

  • SSDEEP

    98304:nuHtPnOxYsJlCI5HgKd0coQz3AvDf3KYK3XkgNYx+XKpkWFEc:uHtPnOJJlTpgIxD3ejnWXk0G+6yW

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      8d66e41b9670d3890741fea8536846630e8a0a9aaac7a8858cdd6fec59e71be6.exe

    • Size

      4.3MB

    • MD5

      73f68155f6230d9108727743c020e3b9

    • SHA1

      c424e5d1d5310588b154fd4f9e440a6f8972cbe4

    • SHA256

      8d66e41b9670d3890741fea8536846630e8a0a9aaac7a8858cdd6fec59e71be6

    • SHA512

      fca81963b539c4cb8d43ef09de5977d442b044ef5bb4986cb98913bfd967c8271802f64ad3153b749f8c06f7296e75047b69b5e27665ea57d0f54ce90e0bdc91

    • SSDEEP

      98304:nuHtPnOxYsJlCI5HgKd0coQz3AvDf3KYK3XkgNYx+XKpkWFEc:uHtPnOJJlTpgIxD3ejnWXk0G+6yW

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks