Overview

overview

10

Static

static

3

4648e37901...01.exe

windows7-x64

9

4648e37901...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4648e37901ccb1b4cc76c67a6d13d13d4233233bc8ef0f167f411821e682ba01.exe

  • Size

    8.6MB

  • Sample

    250207-e92wssyphs

  • MD5

    800f4d04c18ede014d4a9223e40f1d3a

  • SHA1

    6390f2d89d270d9e6e234bd4edd7868c135edf6d

  • SHA256

    4648e37901ccb1b4cc76c67a6d13d13d4233233bc8ef0f167f411821e682ba01

  • SHA512

    7574393ce996cc47b6db2a9f0afa0d52f3f74f0123db252fe87e69f25aa29e6ff2a30437e25d16071a4ccabc81e8565effaf22e3d55e84242c8988e7b7b6be89

  • SSDEEP

    98304:/dGauGH9PjGJBf3VVcWQmRIqwssejFp0AKOyz8Eaj:HABf7hVWAhG8Eaj

Score
10/10
cryptbotcredential_accessdefense_evasiondiscoveryspywarestealer

Malware Config

Targets

    • Target

      4648e37901ccb1b4cc76c67a6d13d13d4233233bc8ef0f167f411821e682ba01.exe

    • Size

      8.6MB

    • MD5

      800f4d04c18ede014d4a9223e40f1d3a

    • SHA1

      6390f2d89d270d9e6e234bd4edd7868c135edf6d

    • SHA256

      4648e37901ccb1b4cc76c67a6d13d13d4233233bc8ef0f167f411821e682ba01

    • SHA512

      7574393ce996cc47b6db2a9f0afa0d52f3f74f0123db252fe87e69f25aa29e6ff2a30437e25d16071a4ccabc81e8565effaf22e3d55e84242c8988e7b7b6be89

    • SSDEEP

      98304:/dGauGH9PjGJBf3VVcWQmRIqwssejFp0AKOyz8Eaj:HABf7hVWAhG8Eaj

    Score
    10/10
    defense_evasiondiscoverycryptbotcredential_accessspywarestealer

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Cryptbot family

      cryptbot

    • Detects CryptBot payload

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealer

    • Enumerates VirtualBox registry keys

      defense_evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Authentication Process

1
T1556

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks