General

  • Target

    efd7bbaba8aa8e6865430d1ffcfbf2d5.exe

  • Size

    4.3MB

  • Sample

    241227-q9152swkdt

  • MD5

    efd7bbaba8aa8e6865430d1ffcfbf2d5

  • SHA1

    a9c1b894dc0628909524f21c2b8da3d80d4d1725

  • SHA256

    044837966b88050aafba12d5765a42768de8b1b55cd83a274df9a0fcf17fede2

  • SHA512

    eacc546270f7cc56567b2003ff0274ec063f756dda74a523a571be93197ae09167b37e6e644e67f586bbd23d4645684d00f5e5be28f991dc19e6fcd281957fd9

  • SSDEEP

    98304:f9BerfMdJtZSrZBU0/2pF+TTwmddqkqNhoJKs5L:f9SMqYAqmdgNhoM

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      efd7bbaba8aa8e6865430d1ffcfbf2d5.exe

    • Size

      4.3MB

    • MD5

      efd7bbaba8aa8e6865430d1ffcfbf2d5

    • SHA1

      a9c1b894dc0628909524f21c2b8da3d80d4d1725

    • SHA256

      044837966b88050aafba12d5765a42768de8b1b55cd83a274df9a0fcf17fede2

    • SHA512

      eacc546270f7cc56567b2003ff0274ec063f756dda74a523a571be93197ae09167b37e6e644e67f586bbd23d4645684d00f5e5be28f991dc19e6fcd281957fd9

    • SSDEEP

      98304:f9BerfMdJtZSrZBU0/2pF+TTwmddqkqNhoJKs5L:f9SMqYAqmdgNhoM

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks