cryptbot | 2805be73a04fe26bd831204a0e30a9d629ad5567b9b275291354bf3c7e89b010

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-en-20211014
submitted
04-12-2021 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4df693f47c93324efa41fccef3b1331c.exe
Size

235KB
MD5

4df693f47c93324efa41fccef3b1331c
SHA1

cfccb8f1be7288f9b43150b567ddf4843b4af13b
SHA256

2805be73a04fe26bd831204a0e30a9d629ad5567b9b275291354bf3c7e89b010
SHA512

1c60ca0ae32737ebe735ac87dbe895b00d88df3797582b03104d704c8233b77ccf858b3241770d0f5e9c969e80286f3b8884436ae747c14bb063aad013504f8f

Score

10^/10

cryptbot redline smokeloader backdoor infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

195.133.47.114:38620

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F741.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\F741.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

B8B5.exeSmartClock.exeCF26.exeE4AA.exeF741.exeA26.exe

pid process

956 B8B5.exe
1564 SmartClock.exe
1560 CF26.exe
968 E4AA.exe
1444 F741.exe
1108 A26.exe
Deletes itself 1 IoCs

Processes:

pid process

1268
Drops startup file 1 IoCs

Processes:

B8B5.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk B8B5.exe
Loads dropped DLL 3 IoCs

Processes:

B8B5.exe

pid process

956 B8B5.exe
956 B8B5.exe
956 B8B5.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
956	B8B5.exe
1564	SmartClock.exe
1560	CF26.exe
968	E4AA.exe
1444	F741.exe
1108	A26.exe

pid	process
1268

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	B8B5.exe

pid	process
956	B8B5.exe
956	B8B5.exe
956	B8B5.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

A26.exe4df693f47c93324efa41fccef3b1331c.exeCF26.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4df693f47c93324efa41fccef3b1331c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4df693f47c93324efa41fccef3b1331c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF26.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF26.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF26.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4df693f47c93324efa41fccef3b1331c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A26.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A26.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E4AA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	E4AA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E4AA.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1944 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1564 SmartClock.exe

pid	process
1944	timeout.exe

pid	process
1564	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4df693f47c93324efa41fccef3b1331c.exe

pid	process
1644	4df693f47c93324efa41fccef3b1331c.exe
1644	4df693f47c93324efa41fccef3b1331c.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1268
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

4df693f47c93324efa41fccef3b1331c.exeCF26.exeA26.exe

pid process

1644 4df693f47c93324efa41fccef3b1331c.exe
1560 CF26.exe
1108 A26.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1268
1268
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1268
1268
1268
1268

pid	process
1268

pid	process
1268
1268

pid	process
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

B8B5.exeE4AA.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 956	1268		B8B5.exe
PID 1268 wrote to memory of 956	1268		B8B5.exe
PID 1268 wrote to memory of 956	1268		B8B5.exe
PID 1268 wrote to memory of 956	1268		B8B5.exe
PID 956 wrote to memory of 1564	956	B8B5.exe	SmartClock.exe
PID 956 wrote to memory of 1564	956	B8B5.exe	SmartClock.exe
PID 956 wrote to memory of 1564	956	B8B5.exe	SmartClock.exe
PID 956 wrote to memory of 1564	956	B8B5.exe	SmartClock.exe
PID 1268 wrote to memory of 1560	1268		CF26.exe
PID 1268 wrote to memory of 1560	1268		CF26.exe
PID 1268 wrote to memory of 1560	1268		CF26.exe
PID 1268 wrote to memory of 1560	1268		CF26.exe
PID 1268 wrote to memory of 968	1268		E4AA.exe
PID 1268 wrote to memory of 968	1268		E4AA.exe
PID 1268 wrote to memory of 968	1268		E4AA.exe
PID 1268 wrote to memory of 968	1268		E4AA.exe
PID 968 wrote to memory of 1200	968	E4AA.exe	cmd.exe
PID 968 wrote to memory of 1200	968	E4AA.exe	cmd.exe
PID 968 wrote to memory of 1200	968	E4AA.exe	cmd.exe
PID 968 wrote to memory of 1200	968	E4AA.exe	cmd.exe
PID 1200 wrote to memory of 1944	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 1944	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 1944	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 1944	1200	cmd.exe	timeout.exe
PID 1268 wrote to memory of 1444	1268		F741.exe
PID 1268 wrote to memory of 1444	1268		F741.exe
PID 1268 wrote to memory of 1444	1268		F741.exe
PID 1268 wrote to memory of 1444	1268		F741.exe
PID 1268 wrote to memory of 1108	1268		A26.exe
PID 1268 wrote to memory of 1108	1268		A26.exe
PID 1268 wrote to memory of 1108	1268		A26.exe
PID 1268 wrote to memory of 1108	1268		A26.exe

C:\Users\Admin\AppData\Local\Temp\4df693f47c93324efa41fccef3b1331c.exe
"C:\Users\Admin\AppData\Local\Temp\4df693f47c93324efa41fccef3b1331c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1644

C:\Users\Admin\AppData\Local\Temp\B8B5.exe
C:\Users\Admin\AppData\Local\Temp\B8B5.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1564

C:\Users\Admin\AppData\Local\Temp\CF26.exe
C:\Users\Admin\AppData\Local\Temp\CF26.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1560

C:\Users\Admin\AppData\Local\Temp\E4AA.exe
C:\Users\Admin\AppData\Local\Temp\E4AA.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\TxXuxXVjb & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\E4AA.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1944

C:\Users\Admin\AppData\Local\Temp\F741.exe
C:\Users\Admin\AppData\Local\Temp\F741.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Local\Temp\A26.exe
C:\Users\Admin\AppData\Local\Temp\A26.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A26.exe

MD5
16d22182243b7bfb6aed30564f165cc8

SHA1
3e8fc329c2630d766ecef3f13ed262abc472c398

SHA256
242b150767fa1ffb485724c00ffbda83da6bc23fde3fa70c1707012bacabcad0

SHA512
b382020f49e7281f6b46ade125380bfdd51c105a2f3e89cfc6d35f2cebad9e43371a60146db9ba2cdb13d5e03b906d0eac1716c5541e548d2febc0bfd485ebe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8B5.exe

MD5
2635c82bba4900d6d0be58cd86bc0f70

SHA1
dda99874642c0f98f4d78c316866df3f6dd168c8

SHA256
641779b05eb13a933cfb9dc902d3749b8786d32967b70af5b6c538af86bb648e

SHA512
57d8fa2d74e86c0e125dbdf3b3bfa504a01f460ef60ad586f2d9c51c9c5fb77cda764f847d087fcfb73f60a895105f71d474507d39f1ece310fa035a02dd1028

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8B5.exe

MD5
2635c82bba4900d6d0be58cd86bc0f70

SHA1
dda99874642c0f98f4d78c316866df3f6dd168c8

SHA256
641779b05eb13a933cfb9dc902d3749b8786d32967b70af5b6c538af86bb648e

SHA512
57d8fa2d74e86c0e125dbdf3b3bfa504a01f460ef60ad586f2d9c51c9c5fb77cda764f847d087fcfb73f60a895105f71d474507d39f1ece310fa035a02dd1028

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF26.exe

MD5
2453e3cc777b0f656aa7bb22de048bdd

SHA1
a5c0e45bc6848e9c4964188c481a89c594888050

SHA256
60f461ff378333dbb6aef95ff06819b8749944145a39251e346cc8256d1298dc

SHA512
0b0282100497e213d55c86d50f57cd76e3f21e5f03f6e72755093a53b676a153c21c718c196e263008c2ea5585f8abb511d0d51e1411d656b32c78382a3a2581

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4AA.exe

MD5
c9037b99b13417a8a34411b7608e4aaf

SHA1
0890369ddf491d973f87abdd46c2f1e141d114f8

SHA256
4c1b46aa78b90a5bd0f8037f605781501e70679c931f4fee380f902c1871a7a7

SHA512
c34b5f51525b0ae7d32263de003a062a4584bcc14ae612fc16989ea685643306494490e2418a6817b0eb51f14346562fe993a31ec9bf646234357c8b790ef842

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4AA.exe

MD5
c9037b99b13417a8a34411b7608e4aaf

SHA1
0890369ddf491d973f87abdd46c2f1e141d114f8

SHA256
4c1b46aa78b90a5bd0f8037f605781501e70679c931f4fee380f902c1871a7a7

SHA512
c34b5f51525b0ae7d32263de003a062a4584bcc14ae612fc16989ea685643306494490e2418a6817b0eb51f14346562fe993a31ec9bf646234357c8b790ef842

Download Submit
C:\Users\Admin\AppData\Local\Temp\F741.exe

MD5
6414f73b9269a3b807c9ffa1e1676b3f

SHA1
e12253387ef96d3074446fa0d418f6ab275959db

SHA256
a14bfe10ddfd585755193ad5eba5c9fdcbd100daa53cdf16f6d4e83765aeec08

SHA512
05ad43cb9481a7e4a0376933a7f13cab933940687e2321d51d6a0b18d6f1367bf78ef93927e52e271a32dbec85f311d986b002d937c0fdb68dec2c73ea8c031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F741.exe

MD5
6414f73b9269a3b807c9ffa1e1676b3f

SHA1
e12253387ef96d3074446fa0d418f6ab275959db

SHA256
a14bfe10ddfd585755193ad5eba5c9fdcbd100daa53cdf16f6d4e83765aeec08

SHA512
05ad43cb9481a7e4a0376933a7f13cab933940687e2321d51d6a0b18d6f1367bf78ef93927e52e271a32dbec85f311d986b002d937c0fdb68dec2c73ea8c031d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

MD5
1b6649e2d4c83c1e6aa5f196e81ad3f8

SHA1
20ee7c48453385d004d6970bf1ebd42051586cf7

SHA256
529cb1aa074cdcbd8ba6c82363db3c7d5916ee3ee0f420eea809073d50436563

SHA512
529724680dd6873fa583c42032f7bace37618aa4eaeddd0e74111f064f163062ec412008d2ca5b073cda0930e942fe2c8322c8820692797abcbc6ba98d0ed2f5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
2635c82bba4900d6d0be58cd86bc0f70

SHA1
dda99874642c0f98f4d78c316866df3f6dd168c8

SHA256
641779b05eb13a933cfb9dc902d3749b8786d32967b70af5b6c538af86bb648e

SHA512
57d8fa2d74e86c0e125dbdf3b3bfa504a01f460ef60ad586f2d9c51c9c5fb77cda764f847d087fcfb73f60a895105f71d474507d39f1ece310fa035a02dd1028

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
2635c82bba4900d6d0be58cd86bc0f70

SHA1
dda99874642c0f98f4d78c316866df3f6dd168c8

SHA256
641779b05eb13a933cfb9dc902d3749b8786d32967b70af5b6c538af86bb648e

SHA512
57d8fa2d74e86c0e125dbdf3b3bfa504a01f460ef60ad586f2d9c51c9c5fb77cda764f847d087fcfb73f60a895105f71d474507d39f1ece310fa035a02dd1028

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
2635c82bba4900d6d0be58cd86bc0f70

SHA1
dda99874642c0f98f4d78c316866df3f6dd168c8

SHA256
641779b05eb13a933cfb9dc902d3749b8786d32967b70af5b6c538af86bb648e

SHA512
57d8fa2d74e86c0e125dbdf3b3bfa504a01f460ef60ad586f2d9c51c9c5fb77cda764f847d087fcfb73f60a895105f71d474507d39f1ece310fa035a02dd1028

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
2635c82bba4900d6d0be58cd86bc0f70

SHA1
dda99874642c0f98f4d78c316866df3f6dd168c8

SHA256
641779b05eb13a933cfb9dc902d3749b8786d32967b70af5b6c538af86bb648e

SHA512
57d8fa2d74e86c0e125dbdf3b3bfa504a01f460ef60ad586f2d9c51c9c5fb77cda764f847d087fcfb73f60a895105f71d474507d39f1ece310fa035a02dd1028

Download Submit
memory/956-62-0x0000000000540000-0x00000000005C0000-memory.dmp

Filesize
512KB

Download
memory/956-67-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/956-66-0x0000000001CF0000-0x0000000001D81000-memory.dmp

Filesize
580KB

Download
memory/956-60-0x0000000000000000-mapping.dmp

Download
memory/968-82-0x0000000000000000-mapping.dmp

Download
memory/968-88-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/968-87-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/968-85-0x000000000061B000-0x0000000000641000-memory.dmp

Filesize
152KB

Download
memory/1108-98-0x0000000000000000-mapping.dmp

Download
memory/1108-102-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1108-103-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1108-100-0x000000000062B000-0x0000000000634000-memory.dmp

Filesize
36KB

Download
memory/1200-89-0x0000000000000000-mapping.dmp

Download
memory/1268-84-0x0000000003C30000-0x0000000003C46000-memory.dmp

Filesize
88KB

Download
memory/1268-104-0x00000000060A0000-0x00000000060B6000-memory.dmp

Filesize
88KB

Download
memory/1268-59-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

Filesize
88KB

Download
memory/1444-91-0x0000000000000000-mapping.dmp

Download
memory/1444-97-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1444-94-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1560-76-0x0000000000000000-mapping.dmp

Download
memory/1560-81-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-80-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1560-78-0x000000000061B000-0x0000000000624000-memory.dmp

Filesize
36KB

Download
memory/1564-73-0x0000000000350000-0x00000000003D0000-memory.dmp

Filesize
512KB

Download
memory/1564-75-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1564-70-0x0000000000000000-mapping.dmp

Download
memory/1644-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1644-58-0x0000000000400000-0x0000000002B74000-memory.dmp

Filesize
39.5MB

Download
memory/1644-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1644-57-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1944-90-0x0000000000000000-mapping.dmp

Download