cryptbot

General

Target

8130dec9be607e5a483582f8dd9c5549.exe
Size

248KB
Sample

211204-mpd81aaghr
MD5

8130dec9be607e5a483582f8dd9c5549
SHA1

6df35529f93d04c6c1a4155bcf6568266f6a40a5
SHA256

7418fc9c2128ec7a01faf29b7622c058175476be90022097e75597257d6156d6
SHA512

5c40ccd160bb26529256e2256292fcaa3aa5884af9ec566d148ca14919caa812679472bf4ff0b3ed1836cd01997f35f678f321001e5e0d1190b7b6a6263eb6b7

Score

10^/10

cryptbot redline smokeloader 1 backdoor collection discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

C2

195.133.47.114:38620

Extracted

Family

redline

Botnet

1

C2

45.9.20.59:46287

Targets

- Target
  
  8130dec9be607e5a483582f8dd9c5549.exe
- Size
  
  248KB
- MD5
  
  8130dec9be607e5a483582f8dd9c5549
- SHA1
  
  6df35529f93d04c6c1a4155bcf6568266f6a40a5
- SHA256
  
  7418fc9c2128ec7a01faf29b7622c058175476be90022097e75597257d6156d6
- SHA512
  
  5c40ccd160bb26529256e2256292fcaa3aa5884af9ec566d148ca14919caa812679472bf4ff0b3ed1836cd01997f35f678f321001e5e0d1190b7b6a6263eb6b7
Score

10^/10

smokeloader backdoor trojan cryptbot redline 1 collection discovery evasion infostealer spyware stealer suricata
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
  suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
  suricata
- suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
  suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2