cryptbot | 454fb0f85224fed3066a923a728d75663e393f4a4aded1258fc13c837df923cc

General

Target

3a4e7b7039dd82e7e0afef515e75bc41.exe
Size

249KB
MD5

3a4e7b7039dd82e7e0afef515e75bc41
SHA1

7c2c3567fc9bc7a44dee9ecbfadbd1d814cd9d8a
SHA256

454fb0f85224fed3066a923a728d75663e393f4a4aded1258fc13c837df923cc
SHA512

17f5586650a03952f29943b181e9412b8680fa4aa9addc2fbc4e3431acaf8804122a2b9d145ef5b453f0c22236d3cec557e1e6f8b7cb9e272a45c4bc5da1f37e

Score

10^/10

cryptbot redline smokeloader backdoor infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1752-91-0x0000000000E90000-0x0000000001005000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

9A2D.exe38B.exe38B.exe13A2.exe210B.exe

pid process

344 9A2D.exe
804 38B.exe
1548 38B.exe
1620 13A2.exe
1752 210B.exe
Deletes itself 1 IoCs

Processes:

pid process

1412
Loads dropped DLL 1 IoCs

Processes:

38B.exe

pid process

804 38B.exe

pid	process
344	9A2D.exe
804	38B.exe
1548	38B.exe
1620	13A2.exe
1752	210B.exe

pid	process
1412

pid	process
804	38B.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3a4e7b7039dd82e7e0afef515e75bc41.exe38B.exe

description	pid	process	target process
PID 1676 set thread context of 1124	1676	3a4e7b7039dd82e7e0afef515e75bc41.exe	3a4e7b7039dd82e7e0afef515e75bc41.exe
PID 804 set thread context of 1548	804	38B.exe	38B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3a4e7b7039dd82e7e0afef515e75bc41.exe9A2D.exe38B.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a4e7b7039dd82e7e0afef515e75bc41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9A2D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9A2D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a4e7b7039dd82e7e0afef515e75bc41.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a4e7b7039dd82e7e0afef515e75bc41.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9A2D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	38B.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	38B.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	38B.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13A2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	13A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	13A2.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1744 timeout.exe

pid	process
1744	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3a4e7b7039dd82e7e0afef515e75bc41.exe

pid	process
1124	3a4e7b7039dd82e7e0afef515e75bc41.exe
1124	3a4e7b7039dd82e7e0afef515e75bc41.exe
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1412
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

3a4e7b7039dd82e7e0afef515e75bc41.exe9A2D.exe38B.exe

pid process

1124 3a4e7b7039dd82e7e0afef515e75bc41.exe
344 9A2D.exe
1548 38B.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1412
1412
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1412
1412

pid	process
1412

pid	process
1412
1412

pid	process
1412
1412

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

3a4e7b7039dd82e7e0afef515e75bc41.exe38B.exe13A2.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 1124	1676	3a4e7b7039dd82e7e0afef515e75bc41.exe	3a4e7b7039dd82e7e0afef515e75bc41.exe
PID 1676 wrote to memory of 1124	1676	3a4e7b7039dd82e7e0afef515e75bc41.exe	3a4e7b7039dd82e7e0afef515e75bc41.exe
PID 1676 wrote to memory of 1124	1676	3a4e7b7039dd82e7e0afef515e75bc41.exe	3a4e7b7039dd82e7e0afef515e75bc41.exe
PID 1676 wrote to memory of 1124	1676	3a4e7b7039dd82e7e0afef515e75bc41.exe	3a4e7b7039dd82e7e0afef515e75bc41.exe
PID 1676 wrote to memory of 1124	1676	3a4e7b7039dd82e7e0afef515e75bc41.exe	3a4e7b7039dd82e7e0afef515e75bc41.exe
PID 1676 wrote to memory of 1124	1676	3a4e7b7039dd82e7e0afef515e75bc41.exe	3a4e7b7039dd82e7e0afef515e75bc41.exe
PID 1676 wrote to memory of 1124	1676	3a4e7b7039dd82e7e0afef515e75bc41.exe	3a4e7b7039dd82e7e0afef515e75bc41.exe
PID 1412 wrote to memory of 344	1412		9A2D.exe
PID 1412 wrote to memory of 344	1412		9A2D.exe
PID 1412 wrote to memory of 344	1412		9A2D.exe
PID 1412 wrote to memory of 344	1412		9A2D.exe
PID 1412 wrote to memory of 804	1412		38B.exe
PID 1412 wrote to memory of 804	1412		38B.exe
PID 1412 wrote to memory of 804	1412		38B.exe
PID 1412 wrote to memory of 804	1412		38B.exe
PID 804 wrote to memory of 1548	804	38B.exe	38B.exe
PID 804 wrote to memory of 1548	804	38B.exe	38B.exe
PID 804 wrote to memory of 1548	804	38B.exe	38B.exe
PID 804 wrote to memory of 1548	804	38B.exe	38B.exe
PID 804 wrote to memory of 1548	804	38B.exe	38B.exe
PID 804 wrote to memory of 1548	804	38B.exe	38B.exe
PID 804 wrote to memory of 1548	804	38B.exe	38B.exe
PID 1412 wrote to memory of 1620	1412		13A2.exe
PID 1412 wrote to memory of 1620	1412		13A2.exe
PID 1412 wrote to memory of 1620	1412		13A2.exe
PID 1412 wrote to memory of 1620	1412		13A2.exe
PID 1620 wrote to memory of 840	1620	13A2.exe	cmd.exe
PID 1620 wrote to memory of 840	1620	13A2.exe	cmd.exe
PID 1620 wrote to memory of 840	1620	13A2.exe	cmd.exe
PID 1620 wrote to memory of 840	1620	13A2.exe	cmd.exe
PID 840 wrote to memory of 1744	840	cmd.exe	timeout.exe
PID 840 wrote to memory of 1744	840	cmd.exe	timeout.exe
PID 840 wrote to memory of 1744	840	cmd.exe	timeout.exe
PID 840 wrote to memory of 1744	840	cmd.exe	timeout.exe
PID 1412 wrote to memory of 1752	1412		210B.exe
PID 1412 wrote to memory of 1752	1412		210B.exe
PID 1412 wrote to memory of 1752	1412		210B.exe
PID 1412 wrote to memory of 1752	1412		210B.exe
PID 1412 wrote to memory of 1752	1412		210B.exe
PID 1412 wrote to memory of 1752	1412		210B.exe
PID 1412 wrote to memory of 1752	1412		210B.exe

C:\Users\Admin\AppData\Local\Temp\3a4e7b7039dd82e7e0afef515e75bc41.exe
"C:\Users\Admin\AppData\Local\Temp\3a4e7b7039dd82e7e0afef515e75bc41.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\3a4e7b7039dd82e7e0afef515e75bc41.exe
"C:\Users\Admin\AppData\Local\Temp\3a4e7b7039dd82e7e0afef515e75bc41.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1124

C:\Users\Admin\AppData\Local\Temp\9A2D.exe
C:\Users\Admin\AppData\Local\Temp\9A2D.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:344

C:\Users\Admin\AppData\Local\Temp\38B.exe
C:\Users\Admin\AppData\Local\Temp\38B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\38B.exe
C:\Users\Admin\AppData\Local\Temp\38B.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1548

C:\Users\Admin\AppData\Local\Temp\13A2.exe
C:\Users\Admin\AppData\Local\Temp\13A2.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\BlSsBWJpx & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\13A2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1744

C:\Users\Admin\AppData\Local\Temp\210B.exe
C:\Users\Admin\AppData\Local\Temp\210B.exe
1⤵
- Executes dropped EXE
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13A2.exe
MD5
48a174024451494f31fecb6ae7396b5c

SHA1
2d6ba21531ac3d52bac110b9ff7ac89839943cdc

SHA256
e09365b350e8f0fea96541e93f38ddc5c1ac1b6f7e30a338e00b67086a118196

SHA512
e7b1692535262c36bb680b2fbee78767aa87567d77fc89d6aab42c50e8fcc1091fbe1258dd654afdadc79b6e47d331395af97542bf2dd3c597ec3887a42659ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\210B.exe
MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\210B.exe
MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\38B.exe
MD5
49cb421df70689eb8d0b3d4a9882883e

SHA1
2dcd8f755c1b4e91462c617019f90e541231ce70

SHA256
a0547fb2df81bd32c49a6f3a5ad69636ed568f9be8212b724a422db2453b1e5c

SHA512
8a32e1a78220cdf1777cf7126823979733ae0449d481833634bb0009c0aeb82bed47d6ab66b6d53e1fdd286d684930fd399cd8e6c1dbcb8c343cb9428210a31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\38B.exe
MD5
49cb421df70689eb8d0b3d4a9882883e

SHA1
2dcd8f755c1b4e91462c617019f90e541231ce70

SHA256
a0547fb2df81bd32c49a6f3a5ad69636ed568f9be8212b724a422db2453b1e5c

SHA512
8a32e1a78220cdf1777cf7126823979733ae0449d481833634bb0009c0aeb82bed47d6ab66b6d53e1fdd286d684930fd399cd8e6c1dbcb8c343cb9428210a31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\38B.exe
MD5
49cb421df70689eb8d0b3d4a9882883e

SHA1
2dcd8f755c1b4e91462c617019f90e541231ce70

SHA256
a0547fb2df81bd32c49a6f3a5ad69636ed568f9be8212b724a422db2453b1e5c

SHA512
8a32e1a78220cdf1777cf7126823979733ae0449d481833634bb0009c0aeb82bed47d6ab66b6d53e1fdd286d684930fd399cd8e6c1dbcb8c343cb9428210a31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A2D.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
\Users\Admin\AppData\Local\Temp\38B.exe
MD5
49cb421df70689eb8d0b3d4a9882883e

SHA1
2dcd8f755c1b4e91462c617019f90e541231ce70

SHA256
a0547fb2df81bd32c49a6f3a5ad69636ed568f9be8212b724a422db2453b1e5c

SHA512
8a32e1a78220cdf1777cf7126823979733ae0449d481833634bb0009c0aeb82bed47d6ab66b6d53e1fdd286d684930fd399cd8e6c1dbcb8c343cb9428210a31a

Download Submit
memory/344-66-0x0000000000400000-0x0000000002B64000-memory.dmp

Filesize
39.4MB

Download
memory/344-63-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/344-61-0x0000000000000000-mapping.dmp

Download
memory/344-64-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/804-68-0x0000000000000000-mapping.dmp

Download
memory/804-70-0x00000000005DB000-0x00000000005E4000-memory.dmp

Filesize
36KB

Download
memory/840-84-0x0000000000000000-mapping.dmp

Download
memory/1124-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1124-57-0x0000000000402F47-mapping.dmp

Download
memory/1124-58-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1412-83-0x0000000004280000-0x0000000004296000-memory.dmp

Filesize
88KB

Download
memory/1412-67-0x0000000003E20000-0x0000000003E36000-memory.dmp

Filesize
88KB

Download
memory/1412-60-0x00000000025C0000-0x00000000025D6000-memory.dmp

Filesize
88KB

Download
memory/1548-74-0x0000000000402F47-mapping.dmp

Download
memory/1620-82-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1620-79-0x000000000059B000-0x00000000005C1000-memory.dmp

Filesize
152KB

Download
memory/1620-77-0x0000000000000000-mapping.dmp

Download
memory/1620-81-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1676-55-0x00000000005FB000-0x0000000000604000-memory.dmp

Filesize
36KB

Download
memory/1676-59-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1744-85-0x0000000000000000-mapping.dmp

Download
memory/1752-90-0x0000000074AF0000-0x0000000074B3A000-memory.dmp

Filesize
296KB

Download
memory/1752-86-0x0000000000000000-mapping.dmp

Download
memory/1752-91-0x0000000000E90000-0x0000000001005000-memory.dmp

Filesize
1.5MB

Download
memory/1752-92-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1752-93-0x00000000001D0000-0x0000000000213000-memory.dmp

Filesize
268KB

Download
memory/1752-95-0x0000000076980000-0x0000000076A2C000-memory.dmp

Filesize
688KB

Download
memory/1752-96-0x0000000076F00000-0x0000000076F47000-memory.dmp

Filesize
284KB

Download
memory/1752-97-0x00000000753F0000-0x0000000075447000-memory.dmp

Filesize
348KB

Download
memory/1752-99-0x0000000076A30000-0x0000000076B8C000-memory.dmp

Filesize
1.4MB

Download
memory/1752-100-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1752-102-0x0000000076F50000-0x0000000076FDF000-memory.dmp

Filesize
572KB

Download
memory/1752-104-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads