cryptbot

General

Target

833682705b0dc7c480be2dc7e98b20cf.exe
Size

318KB
Sample

211204-hh37bsaecr
MD5

833682705b0dc7c480be2dc7e98b20cf
SHA1

142330907324d6435ccf85e5805b790bab84244a
SHA256

23120d4fa41b881f5bc7e9806d693702f719e5f7e44b06b5d6f3a325ec9f3e97
SHA512

61f85463ddc01bdc786cb5f02be743075a1b6391313e784a2b3aa61303c897c7bff319f19ff76f6ae4aabb1f10c2c91626a45efed87fe1fed926449d67c4bc94

Score

10^/10

cryptbot redline smokeloader 1 backdoor collection discovery evasion infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

C2

92.255.76.197:38637

Extracted

Family

redline

Botnet

1

C2

45.9.20.59:46287

Targets

- Target
  
  833682705b0dc7c480be2dc7e98b20cf.exe
- Size
  
  318KB
- MD5
  
  833682705b0dc7c480be2dc7e98b20cf
- SHA1
  
  142330907324d6435ccf85e5805b790bab84244a
- SHA256
  
  23120d4fa41b881f5bc7e9806d693702f719e5f7e44b06b5d6f3a325ec9f3e97
- SHA512
  
  61f85463ddc01bdc786cb5f02be743075a1b6391313e784a2b3aa61303c897c7bff319f19ff76f6ae4aabb1f10c2c91626a45efed87fe1fed926449d67c4bc94
Score

10^/10

smokeloader backdoor persistence trojan cryptbot redline 1 collection discovery evasion infostealer spyware stealer suricata
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE Arechclient2 Backdoor CnC Init
  suricata: ET MALWARE Arechclient2 Backdoor CnC Init
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
  suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
  suricata
- suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
  suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2