General

  • Target

    327e4bd70e2906769929a778b0bcd154.exe

  • Size

    4.3MB

  • Sample

    241224-je84vasqdt

  • MD5

    327e4bd70e2906769929a778b0bcd154

  • SHA1

    3c585820793d95d83246ae07d14c27573fac2995

  • SHA256

    b34f8c961602120e9e73cae2cc5acd563bf8069760b18ce81e6eecdd22658601

  • SHA512

    6b32b3b9e9c94dca4cbc7d36e631299c215ad536ecf152980f7f77b7f5d307f4c6b7e462101445909f6d68086695293cd412d4018b50d63076934d6a22005a19

  • SSDEEP

    98304:ZelV7kkR2OFNwHI2gEn2k/2hwJvOox54Fale6q006hJNl:Z6uk1C2TaJzx54We690CV

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      327e4bd70e2906769929a778b0bcd154.exe

    • Size

      4.3MB

    • MD5

      327e4bd70e2906769929a778b0bcd154

    • SHA1

      3c585820793d95d83246ae07d14c27573fac2995

    • SHA256

      b34f8c961602120e9e73cae2cc5acd563bf8069760b18ce81e6eecdd22658601

    • SHA512

      6b32b3b9e9c94dca4cbc7d36e631299c215ad536ecf152980f7f77b7f5d307f4c6b7e462101445909f6d68086695293cd412d4018b50d63076934d6a22005a19

    • SSDEEP

      98304:ZelV7kkR2OFNwHI2gEn2k/2hwJvOox54Fale6q006hJNl:Z6uk1C2TaJzx54We690CV

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks