Extracted

• • Target

    ac39195bc9a3f97ab72f608ba7e86c79b9de337862e290d7d00ba5e0aaf23ac7

  • Size

    4.2MB

  • MD5

    9a111da409acb04e0aead5b1ad4aa204

  • SHA1

    86a8b8f8c8e152de3804f38811279cd1e96aae0c

  • SHA256

    ac39195bc9a3f97ab72f608ba7e86c79b9de337862e290d7d00ba5e0aaf23ac7

  • SHA512

    f818a5403452b7d3965e387eb24af2f9a367baf4d247b67d13d5ca5a7132e9e412326f2c55d09ed7bd2c36aecb735cc5efcb346756117cae53d345512a59b121

  • SSDEEP

    98304:oCUaoUgDLtLw4nJhbtyPXq2KCuVkOZJ8QzwqTEld+k6CgvQ1PIdskHNOzdo:oCUPJLtRnJd+Kl9Z+QzwqTqz6TvQ0BMm

  Score

  10^/10

  cryptbotdefense_evasiondiscoveryspywarestealer

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Cryptbot family

    cryptbot

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Blocklisted process makes network request

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1

• • Target

    $PLUGINSDIR/System.dll

  • Size

    11KB

  • MD5

    bf712f32249029466fa86756f5546950

  • SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

  • SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

  • SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

  • SSDEEP

    192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

  Score

  3^/10

  discovery
  behavioral2

• • Target

    $PLUGINSDIR/UAC.dll

  • Size

    14KB

  • MD5

    adb29e6b186daa765dc750128649b63d

  • SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

  • SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

  • SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • SSDEEP

    192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

  Score

  3^/10

  discovery
  behavioral3

• • Target

    $PLUGINSDIR/UserInfo.dll

  • Size

    4KB

  • MD5

    c7ce0e47c83525983fd2c4c9566b4aad

  • SHA1

    38b7ad7bb32ffae35540fce373b8a671878dc54e

  • SHA256

    6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

  • SHA512

    ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

  Score

  3^/10

  discovery
  behavioral4

• • Target

    $PLUGINSDIR/nsDialogs.dll

  • Size

    9KB

  • MD5

    4ccc4a742d4423f2f0ed744fd9c81f63

  • SHA1

    704f00a1acc327fd879cf75fc90d0b8f927c36bc

  • SHA256

    416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

  • SHA512

    790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

  • SSDEEP

    192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

  Score

  3^/10

  discovery
  behavioral5

• • Target

    $PLUGINSDIR/nsExec.dll

  • Size

    6KB

  • MD5

    132e6153717a7f9710dcea4536f364cd

  • SHA1

    e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

  • SHA256

    d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

  • SHA512

    9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

  • SSDEEP

    96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ

  Score

  3^/10

  discovery
  behavioral6

• • Target

    DowloadX.exe

  • Size

    2.1MB

  • MD5

    e6964640c38b37d47d1af6f62d84293d

  • SHA1

    5fb66c1612d6931f5b9411ac697225812783b18b

  • SHA256

    ae93c138b8c1e7b3af5853244f1bd81d723b4bdd487caf00fb47e308d324798e

  • SHA512

    8178e081f63d403702c117b8b6bbf46f437e11d553e7ac0fa4a65e7bbd73a8d3a4026799283edfaf4c7b78d0ffbbd30f69ede60af8306238643d65fd86d89e99

  • SSDEEP

    49152:hNGj8GrEoUj035sC1b70Z84xBUMDn6MOSKxYhMTJA3xanaVY3x/nWf/0:PWEoUjfC17341vBiJ2anfhnWH0

  Score

  9^/10

  defense_evasiondiscovery

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral7

• • Target

    Download.exe

  • Size

    2.1MB

  • MD5

    4cd4a697f1f93ab36d37c39c09a889e7

  • SHA1

    b434186b165d0bd1a1b9169aef3bf04644c34b78

  • SHA256

    6fbec75c90bd2c0ea247d7d21978ed1af82e706f9f2f0b579f7077e35fc16ec0

  • SHA512

    f0feff6abe140656c42536c9761c85625d62956adccd6a8075aa95c5ef06247970a42ad1c6065237198ab72a5915a86a14d960c1ed9593d34881f69d2f7429f9

  • SSDEEP

    49152:abr8BU1rxuId1OC9bSnkANGF7uE9jpQCSIt2nAZu1Bu32AU7z:iiUHuoQtNG5uOCRC2nMfGLz

  Score

  10^/10

  cryptbotdefense_evasiondiscoveryspywarestealer

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Cryptbot family

    cryptbot

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral8

• • Target

    ipras.vbs

  • Size

    126B

  • MD5

    b802ff9244875f69db2fae0f78e92b10

  • SHA1

    49385a89cd575894a29fbda969b99cc1f5cf8076

  • SHA256

    a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8

  • SHA512

    609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

  Score

  8^/10

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  behavioral9