General

  • Target

    085ebe5916195a08c768e279650cdaa09b11b8ceda0fad4b9a499a4a3267b461.exe

  • Size

    4.3MB

  • Sample

    241229-cgnglayqan

  • MD5

    fbba61c61fa706eec44a022a1e9e3bac

  • SHA1

    74e5e5e2ad5dfba941f35c8e207cad219b9ad21d

  • SHA256

    085ebe5916195a08c768e279650cdaa09b11b8ceda0fad4b9a499a4a3267b461

  • SHA512

    75d98196ee6fdf28b074ca8a2e17d27c7b3eaa187bd0f92fb02391090974ac649d450e14c0238cebb8c629884d3f3e2c9737888deaa12dbe12187fbf03e57e72

  • SSDEEP

    98304:cNLH9lv77mJ/g1Ef/DPJWUUz+TE88fc9vv43AYRSjasy1UtAxa:uL/zypmo4UeuYfcy3+DtUa

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      085ebe5916195a08c768e279650cdaa09b11b8ceda0fad4b9a499a4a3267b461.exe

    • Size

      4.3MB

    • MD5

      fbba61c61fa706eec44a022a1e9e3bac

    • SHA1

      74e5e5e2ad5dfba941f35c8e207cad219b9ad21d

    • SHA256

      085ebe5916195a08c768e279650cdaa09b11b8ceda0fad4b9a499a4a3267b461

    • SHA512

      75d98196ee6fdf28b074ca8a2e17d27c7b3eaa187bd0f92fb02391090974ac649d450e14c0238cebb8c629884d3f3e2c9737888deaa12dbe12187fbf03e57e72

    • SSDEEP

      98304:cNLH9lv77mJ/g1Ef/DPJWUUz+TE88fc9vv43AYRSjasy1UtAxa:uL/zypmo4UeuYfcy3+DtUa

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks