Overview

overview

10

Static

static

3

df8a640b27...b2.exe

windows7-x64

10

df8a640b27...b2.exe

windows10-2004-x64

10

Chiedergli.ppt

windows7-x64

1

Chiedergli.ppt

windows10-2004-x64

1

Ricordate.ppt

windows7-x64

1

Ricordate.ppt

windows10-2004-x64

1

Sfaldavano.ppt

windows7-x64

1

Sfaldavano.ppt

windows10-2004-x64

1

Tenue.ppt

windows7-x64

1

Tenue.ppt

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    df8a640b27ba57ed68bd74d105225fb2

  • Size

    1.4MB

  • Sample

    240326-tbaf8agf3v

  • MD5

    df8a640b27ba57ed68bd74d105225fb2

  • SHA1

    0acb4fd31f72087c30cfca2e7e02567fd3793881

  • SHA256

    63be92fd1c59c06bf508be25efd2d490143f86dea412f507738111da7e516ddb

  • SHA512

    6c0f2bc513d808a1d35ed8458843e452e7fd58f925b25b502c48c83c4cd50e5a415f6636e263ea42c8a4f0be6a3e3e812fdbe080d01db58f62ea9110ee198308

  • SSDEEP

    24576:wg41CI4yDlcBuTWT93Y15QmX9uTPGhPKFp3GAeTWqCQi364Iqhl+PPrA/hkGhdHT:94v4UcB3I8mX9sPGhPOGAyWd64Iqh08h

Score
10/10
cryptbotdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

cryptbot

C2

haiusm13.top

morhas01.top
Attributes
  • payload_url

    http://zelcax01.top/download.php?file=lv.exe

Targets

    • Target

      df8a640b27ba57ed68bd74d105225fb2

    • Size

      1.4MB

    • MD5

      df8a640b27ba57ed68bd74d105225fb2

    • SHA1

      0acb4fd31f72087c30cfca2e7e02567fd3793881

    • SHA256

      63be92fd1c59c06bf508be25efd2d490143f86dea412f507738111da7e516ddb

    • SHA512

      6c0f2bc513d808a1d35ed8458843e452e7fd58f925b25b502c48c83c4cd50e5a415f6636e263ea42c8a4f0be6a3e3e812fdbe080d01db58f62ea9110ee198308

    • SSDEEP

      24576:wg41CI4yDlcBuTWT93Y15QmX9uTPGhPKFp3GAeTWqCQi364Iqhl+PPrA/hkGhdHT:94v4UcB3I8mX9sPGhPOGAyWd64Iqh08h

    Score
    10/10
    cryptbotdiscoverypersistencespywarestealer

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      Chiedergli.ppt

    • Size

      872KB

    • MD5

      7484935a5926b82e75b887c088116124

    • SHA1

      4c618326ca9d79cea9e965b4f466aa090992f879

    • SHA256

      c02d3ec1eb496fec19e09155f32f3e029bc093f992391bc5e6bdc070e2f07d73

    • SHA512

      a6d69c3632a6b8c8205a15f988b4e48c622b52a06139ed3fa713be5ea2a6598ffe570a41e38596c706f39a68be78765dd9649b1f72cff401785b115fe66c0835

    • SSDEEP

      12288:jpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:jT3E53Myyzl0hMf1tr7Caw8M01

    Score
    1/10
    behavioral3behavioral4

    • Target

      Ricordate.ppt

    • Size

      580B

    • MD5

      8af4f52e6b5c5e8b75b4896269822897

    • SHA1

      a5d2aa9295fcd0564fbc56e111e761f9cec44f98

    • SHA256

      e8f99ceb985beacb62bd58e52c1559e70964cb58642889dc5dfc02ac011577a6

    • SHA512

      c186acf777e74c1143d34a6df6e8a1e6dfcdccdbe9b4f16a177f46127036546245b2cc8e8ce5f248ace5385cf7d472093d0bf00d3bdf5bbbc0841948e3b83a64

    Score
    1/10
    behavioral5behavioral6

    • Target

      Sfaldavano.ppt

    • Size

      634KB

    • MD5

      583b1b8e296e1ac5c9bfbbea75535ae2

    • SHA1

      99fce7f722eee8a5e6008a55ba7f91f80ea772d3

    • SHA256

      bbcd3d461757a7bc3313eed80243e13a03672b534caae3cd91779f2716196758

    • SHA512

      7dfe528f7d5f9d1e066b7c892ec565b1c85e393bd95c8decd14e6013146405fa5d23f0e803bdce3c2694309160125f3af8f79ed0ed87d397a12cdaac86225701

    • SSDEEP

      12288:+cffSgwsGAe7BTq+MqtfwnI364yT1Jra9/Ydzmmq+pcXrPoPZGYPbUrAomRd/xLe:a/sGAe7RqSoI364Zid78PJrAH55G7/Y6

    Score
    1/10
    behavioral7behavioral8

    • Target

      Tenue.ppt

    • Size

      668KB

    • MD5

      7e91e5014e1b4f01958d566835ffd147

    • SHA1

      4dc51048b6b51118a08b4770fae94a4c31da0ed9

    • SHA256

      46c707057c1fd67eb08a9d1b229ff97b82338f17a450295f46c97c316972b358

    • SHA512

      3fe3a7b0a1bbd8666e25c4a021bb86c5949dfb75edc97c66e23aa4447a1dd815979c78ae3b590816777cf744c08828acb29d728b20fcd37a83aaa34e1c0c6fc4

    • SSDEEP

      12288:tMMMM26JErQN8qgnAaAD2iQi45aztkIzjczwG/4iy/frXYaIqwWsTFTSf9RTCRT3:2r1HafN45Eit4i6fIjWsTFTSfLTUTXEO

    Score
    1/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

10
T1012

System Information Discovery

10
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks