cryptbot | c161867b30341da1738ad780ac4c44300dc5f29e25bca55de80803394efdcd7b

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-en-20211104
submitted
04-12-2021 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50dfd197492d2836638b800d144bbff3.exe
Size

248KB
MD5

50dfd197492d2836638b800d144bbff3
SHA1

7a0891b734da828be8265c01df2ee435276f2f85
SHA256

c161867b30341da1738ad780ac4c44300dc5f29e25bca55de80803394efdcd7b
SHA512

44febeadb7c215d48effb66493753fd14fbf47ca7000930b2adc895a5e5d09c42dc56ce30f281e6d5a3d0996ef962747f11774a32ca73ab6ac4b98625f03e7f6

Score

10^/10

cryptbot redline smokeloader 1 backdoor discovery infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

92.255.76.197:38637

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1696-94-0x0000000001DA0000-0x0000000001DCE000-memory.dmp	family_redline
behavioral1/memory/1696-95-0x0000000002050000-0x000000000207C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\E2AA.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\E2AA.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

933B.exeSmartClock.exeA96E.exeC49D.exeCD54.exeE2AA.exe

pid process

316 933B.exe
976 SmartClock.exe
2044 A96E.exe
1448 C49D.exe
1696 CD54.exe
900 E2AA.exe
Deletes itself 1 IoCs

Processes:

pid process

1272
Drops startup file 1 IoCs

Processes:

933B.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 933B.exe
Loads dropped DLL 3 IoCs

Processes:

933B.exe

pid process

316 933B.exe
316 933B.exe
316 933B.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
316	933B.exe
976	SmartClock.exe
2044	A96E.exe
1448	C49D.exe
1696	CD54.exe
900	E2AA.exe

pid	process
1272

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	933B.exe

pid	process
316	933B.exe
316	933B.exe
316	933B.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

50dfd197492d2836638b800d144bbff3.exeA96E.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	50dfd197492d2836638b800d144bbff3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	50dfd197492d2836638b800d144bbff3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	50dfd197492d2836638b800d144bbff3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A96E.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A96E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A96E.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C49D.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C49D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C49D.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1952 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

976 SmartClock.exe

pid	process
1952	timeout.exe

pid	process
976	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

50dfd197492d2836638b800d144bbff3.exe

pid	process
320	50dfd197492d2836638b800d144bbff3.exe
320	50dfd197492d2836638b800d144bbff3.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1272
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

50dfd197492d2836638b800d144bbff3.exeA96E.exe

pid process

320 50dfd197492d2836638b800d144bbff3.exe
2044 A96E.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CD54.exe

description pid process

Token: SeDebugPrivilege 1696 CD54.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1272
1272
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1272
1272
1272
1272

pid	process
1272

description	pid	process
Token: SeDebugPrivilege	1696	CD54.exe

pid	process
1272
1272

pid	process
1272
1272
1272
1272

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

933B.exeC49D.execmd.exe

description	pid	process	target process
PID 1272 wrote to memory of 316	1272		933B.exe
PID 1272 wrote to memory of 316	1272		933B.exe
PID 1272 wrote to memory of 316	1272		933B.exe
PID 1272 wrote to memory of 316	1272		933B.exe
PID 316 wrote to memory of 976	316	933B.exe	SmartClock.exe
PID 316 wrote to memory of 976	316	933B.exe	SmartClock.exe
PID 316 wrote to memory of 976	316	933B.exe	SmartClock.exe
PID 316 wrote to memory of 976	316	933B.exe	SmartClock.exe
PID 1272 wrote to memory of 2044	1272		A96E.exe
PID 1272 wrote to memory of 2044	1272		A96E.exe
PID 1272 wrote to memory of 2044	1272		A96E.exe
PID 1272 wrote to memory of 2044	1272		A96E.exe
PID 1272 wrote to memory of 1448	1272		C49D.exe
PID 1272 wrote to memory of 1448	1272		C49D.exe
PID 1272 wrote to memory of 1448	1272		C49D.exe
PID 1272 wrote to memory of 1448	1272		C49D.exe
PID 1272 wrote to memory of 1696	1272		CD54.exe
PID 1272 wrote to memory of 1696	1272		CD54.exe
PID 1272 wrote to memory of 1696	1272		CD54.exe
PID 1272 wrote to memory of 1696	1272		CD54.exe
PID 1448 wrote to memory of 1748	1448	C49D.exe	cmd.exe
PID 1448 wrote to memory of 1748	1448	C49D.exe	cmd.exe
PID 1448 wrote to memory of 1748	1448	C49D.exe	cmd.exe
PID 1448 wrote to memory of 1748	1448	C49D.exe	cmd.exe
PID 1748 wrote to memory of 1952	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 1952	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 1952	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 1952	1748	cmd.exe	timeout.exe
PID 1272 wrote to memory of 900	1272		E2AA.exe
PID 1272 wrote to memory of 900	1272		E2AA.exe
PID 1272 wrote to memory of 900	1272		E2AA.exe
PID 1272 wrote to memory of 900	1272		E2AA.exe

C:\Users\Admin\AppData\Local\Temp\50dfd197492d2836638b800d144bbff3.exe
"C:\Users\Admin\AppData\Local\Temp\50dfd197492d2836638b800d144bbff3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:320

C:\Users\Admin\AppData\Local\Temp\933B.exe
C:\Users\Admin\AppData\Local\Temp\933B.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:976

C:\Users\Admin\AppData\Local\Temp\A96E.exe
C:\Users\Admin\AppData\Local\Temp\A96E.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2044

C:\Users\Admin\AppData\Local\Temp\C49D.exe
C:\Users\Admin\AppData\Local\Temp\C49D.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\uXyxDHlu & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C49D.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1952

C:\Users\Admin\AppData\Local\Temp\CD54.exe
C:\Users\Admin\AppData\Local\Temp\CD54.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Users\Admin\AppData\Local\Temp\E2AA.exe
C:\Users\Admin\AppData\Local\Temp\E2AA.exe
1⤵
- Executes dropped EXE
PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\933B.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\933B.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A96E.exe

MD5
86c76df3f0feed13d6ad6f9155156369

SHA1
330e82600381f68d6f6914b50b451b6c59901b26

SHA256
4dc4954990ef29b8b1b66f23cd475d375cc759b2aabbfdde761abaafef975baf

SHA512
078e22f7c6109abf532591dc429d6a58255a192c3a70324b769e5f2b79549d0814fa2330693484dccdc27427ef25526b5db4f3b574c521bed0ae27eadada789c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C49D.exe

MD5
01e84b58f52c9a1fa5e7a60932f9ef3b

SHA1
04c0aadf2b04795c5d6acd865a066c4490ec5a26

SHA256
7f2637c56ceed05819d0e5f09655b8741f1bb72d43fe24a4e117045e2374eea8

SHA512
8b42dc06112caa64b4bd924619a8e679a971170bd848e6ffb7ebc19e7490f2d13b74bb73bc4298596ab13428a3baf22c9b211f6696d1ca12550b35e64c0564aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\C49D.exe

MD5
01e84b58f52c9a1fa5e7a60932f9ef3b

SHA1
04c0aadf2b04795c5d6acd865a066c4490ec5a26

SHA256
7f2637c56ceed05819d0e5f09655b8741f1bb72d43fe24a4e117045e2374eea8

SHA512
8b42dc06112caa64b4bd924619a8e679a971170bd848e6ffb7ebc19e7490f2d13b74bb73bc4298596ab13428a3baf22c9b211f6696d1ca12550b35e64c0564aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD54.exe

MD5
d839ca0d362a36f7a2be8ed2588dcc94

SHA1
6ab19f4de3967520cebfef76a3d3bef9c9b378d7

SHA256
f5151880863dd9889d658ce435ab2bbc251bf19d5fc1ffce59b41ae304438ee8

SHA512
40b8bb2b006a426122ff4f93a52aabe2d006c2198945e1c7432f9523cd835f73e817220ba8991ccb67678116f392a209310d721fd269030d861500a7d90b31fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2AA.exe

MD5
a8162fc2e944d87a356dea9a716b043d

SHA1
b5b76a20f49139d1f2dcd1384efefb86cd41b5bd

SHA256
d7c447f3e23cf6d10f9638688e5e88baddd70460a1a6f37f4cf18f51044c18b0

SHA512
d82f2f068097ab7f71579d57f47acce91d007fd4b6a7f97e876291c22ff5805e59b41404653c70072cf3dbd4a71f8993fb8918b4165ddd6802d3f133321e6b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2AA.exe

MD5
a8162fc2e944d87a356dea9a716b043d

SHA1
b5b76a20f49139d1f2dcd1384efefb86cd41b5bd

SHA256
d7c447f3e23cf6d10f9638688e5e88baddd70460a1a6f37f4cf18f51044c18b0

SHA512
d82f2f068097ab7f71579d57f47acce91d007fd4b6a7f97e876291c22ff5805e59b41404653c70072cf3dbd4a71f8993fb8918b4165ddd6802d3f133321e6b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

MD5
f1d2b02fb491bd1b76979e28376344e9

SHA1
c9106546f785ce167200b66f2bfd21381b4bb626

SHA256
27dfa70b2ecc88dfd4c528b3aee7c16a867d0cd5233f5fa5a69b2e6f2fbc96c9

SHA512
f012ce06484cffbb3eae6d28d7d3906643e8c2dac412da28539897e53cecf61b9e415e2e09cfa13472c34d7919f006c935ad837ffa7109fd33b1d86eaaf481e5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
memory/316-66-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/316-67-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/316-62-0x00000000005CB000-0x000000000064B000-memory.dmp

Filesize
512KB

Download
memory/316-60-0x0000000000000000-mapping.dmp

Download
memory/320-56-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/320-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/320-55-0x000000000061B000-0x0000000000624000-memory.dmp

Filesize
36KB

Download
memory/320-58-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/900-108-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/900-106-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/900-103-0x0000000000000000-mapping.dmp

Download
memory/976-75-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/976-73-0x000000000024B000-0x00000000002CB000-memory.dmp

Filesize
512KB

Download
memory/976-70-0x0000000000000000-mapping.dmp

Download
memory/1272-82-0x0000000003FA0000-0x0000000003FB6000-memory.dmp

Filesize
88KB

Download
memory/1272-59-0x0000000002C20000-0x0000000002C36000-memory.dmp

Filesize
88KB

Download
memory/1448-87-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/1448-88-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1448-85-0x000000000052B000-0x0000000000551000-memory.dmp

Filesize
152KB

Download
memory/1448-83-0x0000000000000000-mapping.dmp

Download
memory/1696-100-0x00000000023A3000-0x00000000023A4000-memory.dmp

Filesize
4KB

Download
memory/1696-98-0x00000000023A1000-0x00000000023A2000-memory.dmp

Filesize
4KB

Download
memory/1696-94-0x0000000001DA0000-0x0000000001DCE000-memory.dmp

Filesize
184KB

Download
memory/1696-95-0x0000000002050000-0x000000000207C000-memory.dmp

Filesize
176KB

Download
memory/1696-97-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1696-89-0x0000000000000000-mapping.dmp

Download
memory/1696-99-0x00000000023A2000-0x00000000023A3000-memory.dmp

Filesize
4KB

Download
memory/1696-93-0x000000000026B000-0x0000000000297000-memory.dmp

Filesize
176KB

Download
memory/1696-96-0x00000000003C0000-0x00000000003F9000-memory.dmp

Filesize
228KB

Download
memory/1696-101-0x00000000023A4000-0x00000000023A6000-memory.dmp

Filesize
8KB

Download
memory/1748-91-0x0000000000000000-mapping.dmp

Download
memory/1952-92-0x0000000000000000-mapping.dmp

Download
memory/2044-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2044-80-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2044-78-0x00000000008CB000-0x00000000008D4000-memory.dmp

Filesize
36KB

Download
memory/2044-76-0x0000000000000000-mapping.dmp

Download