Overview

overview

10

Static

static

7

3c320ddeb5...a8.exe

windows7-x64

10

3c320ddeb5...a8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_d3b9ef895c0023f920b80cdc47303013ee118805dbe49d178a571aff1a23d039

  • Size

    2.5MB

  • Sample

    241229-rfnhjatjgq

  • MD5

    c4205df402e07c22e7af5c73cfac31b2

  • SHA1

    b2bb01e6eb9100b2068f2e008bd89f03230c6a39

  • SHA256

    d3b9ef895c0023f920b80cdc47303013ee118805dbe49d178a571aff1a23d039

  • SHA512

    f4fa661b4a97032fcd55dec3b218e035e8814f25a6213dafa3266815138d52a3d4c47da5d80eb70961e573ea8be218f451c312e8d59db057f9b9c74760109254

  • SSDEEP

    49152:y9bsFZ9EN7MUZtt4b4hAhhj2IN9o4hMPnmOUl4GBXx6qxv:y9MnEZMUvAPyIN9o4hMrUlpBx6ev

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

kotehj62.top

Attributes
  • payload_url

    http://okadoc09.top/download.php?file=makeyr.exe

Targets

    • Target

      3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8

    • Size

      2.5MB

    • MD5

      71af238fbf3c5a3a2c2c3594f1ba8a32

    • SHA1

      b9f49782704b14572985ca13b10842d3aa836ad0

    • SHA256

      3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8

    • SHA512

      fb12811297a22a71ead742dcde54357cf712c04ad690ed6103287f903592999fcde804357488e062fb8783a24394cc0ff23fa1ffbb9d15941e38873a75f59d7f

    • SSDEEP

      49152:CfOvZRdfTgXdzaoRCK5btOmZy7pbHjaONrPIZ:CfWG+/abzZy7dHjaOaZ

    Score
    10/10
    cryptbotdiscoveryevasionspywarestealerthemidatrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Cryptbot family

      cryptbot

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks