cryptbot

Sharing

Copy URL

Twitter E-mail

General

Target

A043A69DD5BC7B5E61D606F3A678D6C1.exe
Size

3.6MB
Sample

210324-bxsndadpwn
MD5

a043a69dd5bc7b5e61d606f3a678d6c1
SHA1

a8b6af2915fb93e9bc5c60e36551e09244471846
SHA256

d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
SHA512

d107334a01cabf55692c79ea62c9b22cf596a5e3a099d9d2cb9160ba6eb42713a9946c5a0feeb8356d0b96e174f670b28c3554484b5f891d0ede111dbe0f173c

Malware Config

Extracted

Family

smokeloader

Version

2020

http://funzel.info/upload/

http://doeros.xyz/upload/

http://vromus.com/upload/

http://hqans.com/upload/

http://vxeudy.com/upload/

http://poderoa.com/upload/

http://nezzzo.com/upload/

rc4.i32

Extracted

Family

fickerstealer

lukkeze.club:80

Extracted

Family

raccoon

Botnet

2ce901d964b370c5ccda7e4d68354ba040db8218

Attributes

url4cnc
https://telete.in/tomarsjsmith3

rc4.plain

Extracted

Family

raccoon

Botnet

c46f13f8aadc028907d65c627fd9163161661f6c

Attributes

url4cnc
https://telete.in/capibar

rc4.plain

Extracted

Family

cryptbot

bazfr32.top

morwhy03.top

Attributes

payload_url
http://akrvt04.top/download.php?file=lv.exe

Extracted

Family

icedid

Campaign

1319278762

213podellkk.website

Extracted

Family

redline

Botnet

white

whitegarden.top:80

Targets

- Target
  
  A043A69DD5BC7B5E61D606F3A678D6C1.exe
- Size
  
  3.6MB
- MD5
  
  a043a69dd5bc7b5e61d606f3a678d6c1
- SHA1
  
  a8b6af2915fb93e9bc5c60e36551e09244471846
- SHA256
  
  d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
- SHA512
  
  d107334a01cabf55692c79ea62c9b22cf596a5e3a099d9d2cb9160ba6eb42713a9946c5a0feeb8356d0b96e174f670b28c3554484b5f891d0ede111dbe0f173c
Score

10^/10

cryptbot fickerstealer raccoon smokeloader 2ce901d964b370c5ccda7e4d68354ba040db8218 c46f13f8aadc028907d65c627fd9163161661f6c backdoor discovery evasion infostealer persistence spyware stealer trojan icedid redline vidar white 1319278762 banker loader upx
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot Payload
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- fickerstealer
  Ficker is an infostealer written in Rust and ASM.
  infostealer fickerstealer
- IcedID First Stage Loader
  loader
- Downloads MZ/PE file
- Executes dropped EXE
- Sets service image path in registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

CryptBot Payload

IcedID, BokBot

Raccoon

RedLine

RedLine Payload

SmokeLoader

Vidar

fickerstealer

IcedID First Stage Loader

Downloads MZ/PE file

Executes dropped EXE

Sets service image path in registry

UPX packed file

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2