cryptbot | 2ad536248b31c68f944b660e6062e9ddf76a9f4dff85edb300a1e3def3f395ab

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-en-20211104
submitted
04-12-2021 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52f51409a4cff209b33fb051f9467301.exe
Size

248KB
MD5

52f51409a4cff209b33fb051f9467301
SHA1

859c1ad8bb06e5a7baab2779497f7c4bf32ca390
SHA256

2ad536248b31c68f944b660e6062e9ddf76a9f4dff85edb300a1e3def3f395ab
SHA512

2b9bcd082f078b25e0a288d1cffbdb1f02c7b202862c82e492d476626f44d3740f0d3aac46074f7d21ada29ede9738cf10d12532734cbb335eac48b33d422f75

Score

10^/10

cryptbot redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

92.255.76.197:38637

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1776-94-0x0000000002150000-0x000000000217E000-memory.dmp	family_redline
behavioral1/memory/1776-95-0x0000000004710000-0x000000000473C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\D88C.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\D88C.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

9444.exeSmartClock.exeA8B3.exeBF5F.exeC6EE.exeD88C.exe

pid process

2032 9444.exe
1060 SmartClock.exe
1392 A8B3.exe
876 BF5F.exe
1776 C6EE.exe
544 D88C.exe
Deletes itself 1 IoCs

Processes:

pid process

1396
Drops startup file 1 IoCs

Processes:

9444.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 9444.exe
Loads dropped DLL 3 IoCs

Processes:

9444.exe

pid process

2032 9444.exe
2032 9444.exe
2032 9444.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2032	9444.exe
1060	SmartClock.exe
1392	A8B3.exe
876	BF5F.exe
1776	C6EE.exe
544	D88C.exe

pid	process
1396

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	9444.exe

pid	process
2032	9444.exe
2032	9444.exe
2032	9444.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

52f51409a4cff209b33fb051f9467301.exeA8B3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	52f51409a4cff209b33fb051f9467301.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	52f51409a4cff209b33fb051f9467301.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	52f51409a4cff209b33fb051f9467301.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8B3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8B3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8B3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BF5F.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BF5F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BF5F.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1172 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1060 SmartClock.exe

pid	process
1172	timeout.exe

pid	process
1060	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

52f51409a4cff209b33fb051f9467301.exe

pid	process
792	52f51409a4cff209b33fb051f9467301.exe
792	52f51409a4cff209b33fb051f9467301.exe
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1396
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

52f51409a4cff209b33fb051f9467301.exeA8B3.exe

pid process

792 52f51409a4cff209b33fb051f9467301.exe
1392 A8B3.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

C6EE.exeD88C.exe

description pid process

Token: SeDebugPrivilege 1776 C6EE.exe
Token: SeDebugPrivilege 544 D88C.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1396
1396
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1396
1396
1396
1396

pid	process
1396

description	pid	process
Token: SeDebugPrivilege	1776	C6EE.exe
Token: SeDebugPrivilege	544	D88C.exe

pid	process
1396
1396

pid	process
1396
1396
1396
1396

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

9444.exeBF5F.execmd.exe

description	pid	process	target process
PID 1396 wrote to memory of 2032	1396		9444.exe
PID 1396 wrote to memory of 2032	1396		9444.exe
PID 1396 wrote to memory of 2032	1396		9444.exe
PID 1396 wrote to memory of 2032	1396		9444.exe
PID 2032 wrote to memory of 1060	2032	9444.exe	SmartClock.exe
PID 2032 wrote to memory of 1060	2032	9444.exe	SmartClock.exe
PID 2032 wrote to memory of 1060	2032	9444.exe	SmartClock.exe
PID 2032 wrote to memory of 1060	2032	9444.exe	SmartClock.exe
PID 1396 wrote to memory of 1392	1396		A8B3.exe
PID 1396 wrote to memory of 1392	1396		A8B3.exe
PID 1396 wrote to memory of 1392	1396		A8B3.exe
PID 1396 wrote to memory of 1392	1396		A8B3.exe
PID 1396 wrote to memory of 876	1396		BF5F.exe
PID 1396 wrote to memory of 876	1396		BF5F.exe
PID 1396 wrote to memory of 876	1396		BF5F.exe
PID 1396 wrote to memory of 876	1396		BF5F.exe
PID 1396 wrote to memory of 1776	1396		C6EE.exe
PID 1396 wrote to memory of 1776	1396		C6EE.exe
PID 1396 wrote to memory of 1776	1396		C6EE.exe
PID 1396 wrote to memory of 1776	1396		C6EE.exe
PID 876 wrote to memory of 1048	876	BF5F.exe	cmd.exe
PID 876 wrote to memory of 1048	876	BF5F.exe	cmd.exe
PID 876 wrote to memory of 1048	876	BF5F.exe	cmd.exe
PID 876 wrote to memory of 1048	876	BF5F.exe	cmd.exe
PID 1048 wrote to memory of 1172	1048	cmd.exe	timeout.exe
PID 1048 wrote to memory of 1172	1048	cmd.exe	timeout.exe
PID 1048 wrote to memory of 1172	1048	cmd.exe	timeout.exe
PID 1048 wrote to memory of 1172	1048	cmd.exe	timeout.exe
PID 1396 wrote to memory of 544	1396		D88C.exe
PID 1396 wrote to memory of 544	1396		D88C.exe
PID 1396 wrote to memory of 544	1396		D88C.exe
PID 1396 wrote to memory of 544	1396		D88C.exe

C:\Users\Admin\AppData\Local\Temp\52f51409a4cff209b33fb051f9467301.exe
"C:\Users\Admin\AppData\Local\Temp\52f51409a4cff209b33fb051f9467301.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:792

C:\Users\Admin\AppData\Local\Temp\9444.exe
C:\Users\Admin\AppData\Local\Temp\9444.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1060

C:\Users\Admin\AppData\Local\Temp\A8B3.exe
C:\Users\Admin\AppData\Local\Temp\A8B3.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1392

C:\Users\Admin\AppData\Local\Temp\BF5F.exe
C:\Users\Admin\AppData\Local\Temp\BF5F.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\kQcaqbnfwZD & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\BF5F.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1172

C:\Users\Admin\AppData\Local\Temp\C6EE.exe
C:\Users\Admin\AppData\Local\Temp\C6EE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Local\Temp\D88C.exe
C:\Users\Admin\AppData\Local\Temp\D88C.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9444.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9444.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8B3.exe

MD5
86c76df3f0feed13d6ad6f9155156369

SHA1
330e82600381f68d6f6914b50b451b6c59901b26

SHA256
4dc4954990ef29b8b1b66f23cd475d375cc759b2aabbfdde761abaafef975baf

SHA512
078e22f7c6109abf532591dc429d6a58255a192c3a70324b769e5f2b79549d0814fa2330693484dccdc27427ef25526b5db4f3b574c521bed0ae27eadada789c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF5F.exe

MD5
aac2b9407a57a02ec74c25f35ad8b1c7

SHA1
fc61a87deb0d6eb0473f1da1e84f303799c29018

SHA256
8aea16599b9ee75ce3c0702f59c822614c5359e20d26e6a16a3ecb470d3dac84

SHA512
6770a347fafb23dea69e200d93d9a1cf0a85d81c3c2f27a0ce5cde1214554feb2f3e874e36203478e30404fb48b86091349915528cd79df39b56a797cc199309

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF5F.exe

MD5
aac2b9407a57a02ec74c25f35ad8b1c7

SHA1
fc61a87deb0d6eb0473f1da1e84f303799c29018

SHA256
8aea16599b9ee75ce3c0702f59c822614c5359e20d26e6a16a3ecb470d3dac84

SHA512
6770a347fafb23dea69e200d93d9a1cf0a85d81c3c2f27a0ce5cde1214554feb2f3e874e36203478e30404fb48b86091349915528cd79df39b56a797cc199309

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6EE.exe

MD5
c3319f4af47acc365e756182c6669648

SHA1
744478c123a1180ea9a344c354cfa711b0c40f83

SHA256
e517d7d36b880690dce87ab53d9801ea34c78db1ebf336609eb80702317d26cc

SHA512
5f405adf3eba2dcc3268e8c39c02e1d3ec2184a50327aac4f645c43ed55373db241b7e438dec5ed4e678c8f6cceafce738e59b39121de86488931d7fb5e8fb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\D88C.exe

MD5
a8162fc2e944d87a356dea9a716b043d

SHA1
b5b76a20f49139d1f2dcd1384efefb86cd41b5bd

SHA256
d7c447f3e23cf6d10f9638688e5e88baddd70460a1a6f37f4cf18f51044c18b0

SHA512
d82f2f068097ab7f71579d57f47acce91d007fd4b6a7f97e876291c22ff5805e59b41404653c70072cf3dbd4a71f8993fb8918b4165ddd6802d3f133321e6b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D88C.exe

MD5
a8162fc2e944d87a356dea9a716b043d

SHA1
b5b76a20f49139d1f2dcd1384efefb86cd41b5bd

SHA256
d7c447f3e23cf6d10f9638688e5e88baddd70460a1a6f37f4cf18f51044c18b0

SHA512
d82f2f068097ab7f71579d57f47acce91d007fd4b6a7f97e876291c22ff5805e59b41404653c70072cf3dbd4a71f8993fb8918b4165ddd6802d3f133321e6b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

MD5
57814cd6f5a4849ebdcba999fc84cc53

SHA1
c048be27765c74cfd813710d1c148bf51313763b

SHA256
28f821e01238a988182c3cb4cd16383b89758cc0e7809387eaefd6657a4a7a73

SHA512
c90202df5c14680e927397e2ec45c9bbd64bfdecef9745ed3c09bdd26c6cbf2c4b72734797b7becd4e47207051eb0d55a7919108e20a7125c73b0e5cd06c4789

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
memory/544-105-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/544-108-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/544-102-0x0000000000000000-mapping.dmp

Download
memory/792-58-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/792-56-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/792-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/792-55-0x000000000057B000-0x0000000000584000-memory.dmp

Filesize
36KB

Download
memory/876-88-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/876-82-0x0000000000000000-mapping.dmp

Download
memory/876-87-0x0000000000270000-0x00000000002B7000-memory.dmp

Filesize
284KB

Download
memory/876-84-0x000000000059B000-0x00000000005C1000-memory.dmp

Filesize
152KB

Download
memory/1048-91-0x0000000000000000-mapping.dmp

Download
memory/1060-73-0x00000000002AB000-0x000000000032B000-memory.dmp

Filesize
512KB

Download
memory/1060-75-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1060-70-0x0000000000000000-mapping.dmp

Download
memory/1172-92-0x0000000000000000-mapping.dmp

Download
memory/1392-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1392-80-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1392-78-0x00000000002EB000-0x00000000002F4000-memory.dmp

Filesize
36KB

Download
memory/1392-76-0x0000000000000000-mapping.dmp

Download
memory/1396-86-0x00000000040C0000-0x00000000040D6000-memory.dmp

Filesize
88KB

Download
memory/1396-59-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/1776-89-0x0000000000000000-mapping.dmp

Download
memory/1776-95-0x0000000004710000-0x000000000473C000-memory.dmp

Filesize
176KB

Download
memory/1776-99-0x00000000046D2000-0x00000000046D3000-memory.dmp

Filesize
4KB

Download
memory/1776-100-0x00000000046D3000-0x00000000046D4000-memory.dmp

Filesize
4KB

Download
memory/1776-98-0x00000000046D1000-0x00000000046D2000-memory.dmp

Filesize
4KB

Download
memory/1776-97-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1776-96-0x00000000003B0000-0x00000000003E9000-memory.dmp

Filesize
228KB

Download
memory/1776-101-0x00000000046D4000-0x00000000046D6000-memory.dmp

Filesize
8KB

Download
memory/1776-94-0x0000000002150000-0x000000000217E000-memory.dmp

Filesize
184KB

Download
memory/1776-93-0x000000000024B000-0x0000000000277000-memory.dmp

Filesize
176KB

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download
memory/2032-62-0x00000000002CB000-0x000000000034B000-memory.dmp

Filesize
512KB

Download
memory/2032-65-0x0000000001C90000-0x0000000001D21000-memory.dmp

Filesize
580KB

Download
memory/2032-66-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download