cryptbot | 8ffa24a981275d475221beac23988667f62a98a4ef19a420f9bb1fcd8a763340

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-en-20211104
submitted
06-12-2021 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

470affabeb66a60dc08c77d41f4956e3.exe
Size

278KB
MD5

470affabeb66a60dc08c77d41f4956e3
SHA1

bbf96c3e3863cea75523c6f127d82af3e3dca465
SHA256

8ffa24a981275d475221beac23988667f62a98a4ef19a420f9bb1fcd8a763340
SHA512

af5fbf727c5427240fa31168b78550f1b8ca02c81ab3a8c2f80adb98248ae2fe1a33996f16713dd9a4626f6fd996adf1624ddb752913cf29ba17dd1490fc6d8a

Score

10^/10

cryptbot raccoon smokeloader b620be4c85b4051a92040003edbc322be4eb082d backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes

url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

7ACB.exe7ACB.exeE2C2.exeE2C2.exeEABE.exe

pid process

1008 7ACB.exe
1620 7ACB.exe
1120 E2C2.exe
1312 E2C2.exe
1452 EABE.exe
Deletes itself 1 IoCs

Processes:

pid process

1220
Loads dropped DLL 2 IoCs

Processes:

7ACB.exeE2C2.exe

pid process

1008 7ACB.exe
1120 E2C2.exe

pid	process
1008	7ACB.exe
1620	7ACB.exe
1120	E2C2.exe
1312	E2C2.exe
1452	EABE.exe

pid	process
1220

pid	process
1008	7ACB.exe
1120	E2C2.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

470affabeb66a60dc08c77d41f4956e3.exe7ACB.exeE2C2.exe

description	pid	process	target process
PID 768 set thread context of 580	768	470affabeb66a60dc08c77d41f4956e3.exe	470affabeb66a60dc08c77d41f4956e3.exe
PID 1008 set thread context of 1620	1008	7ACB.exe	7ACB.exe
PID 1120 set thread context of 1312	1120	E2C2.exe	E2C2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

470affabeb66a60dc08c77d41f4956e3.exe7ACB.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	470affabeb66a60dc08c77d41f4956e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7ACB.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7ACB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7ACB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	470affabeb66a60dc08c77d41f4956e3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	470affabeb66a60dc08c77d41f4956e3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EABE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EABE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EABE.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1632 timeout.exe

pid	process
1632	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

470affabeb66a60dc08c77d41f4956e3.exe

pid	process
580	470affabeb66a60dc08c77d41f4956e3.exe
580	470affabeb66a60dc08c77d41f4956e3.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1220
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

470affabeb66a60dc08c77d41f4956e3.exe7ACB.exe

pid process

580 470affabeb66a60dc08c77d41f4956e3.exe
1620 7ACB.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1220
1220
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1220
1220

pid	process
1220

pid	process
1220
1220

pid	process
1220
1220

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

470affabeb66a60dc08c77d41f4956e3.exe7ACB.exeE2C2.exeEABE.exe

description	pid	process	target process
PID 768 wrote to memory of 580	768	470affabeb66a60dc08c77d41f4956e3.exe	470affabeb66a60dc08c77d41f4956e3.exe
PID 768 wrote to memory of 580	768	470affabeb66a60dc08c77d41f4956e3.exe	470affabeb66a60dc08c77d41f4956e3.exe
PID 768 wrote to memory of 580	768	470affabeb66a60dc08c77d41f4956e3.exe	470affabeb66a60dc08c77d41f4956e3.exe
PID 768 wrote to memory of 580	768	470affabeb66a60dc08c77d41f4956e3.exe	470affabeb66a60dc08c77d41f4956e3.exe
PID 768 wrote to memory of 580	768	470affabeb66a60dc08c77d41f4956e3.exe	470affabeb66a60dc08c77d41f4956e3.exe
PID 768 wrote to memory of 580	768	470affabeb66a60dc08c77d41f4956e3.exe	470affabeb66a60dc08c77d41f4956e3.exe
PID 768 wrote to memory of 580	768	470affabeb66a60dc08c77d41f4956e3.exe	470affabeb66a60dc08c77d41f4956e3.exe
PID 1220 wrote to memory of 1008	1220		7ACB.exe
PID 1220 wrote to memory of 1008	1220		7ACB.exe
PID 1220 wrote to memory of 1008	1220		7ACB.exe
PID 1220 wrote to memory of 1008	1220		7ACB.exe
PID 1008 wrote to memory of 1620	1008	7ACB.exe	7ACB.exe
PID 1008 wrote to memory of 1620	1008	7ACB.exe	7ACB.exe
PID 1008 wrote to memory of 1620	1008	7ACB.exe	7ACB.exe
PID 1008 wrote to memory of 1620	1008	7ACB.exe	7ACB.exe
PID 1008 wrote to memory of 1620	1008	7ACB.exe	7ACB.exe
PID 1008 wrote to memory of 1620	1008	7ACB.exe	7ACB.exe
PID 1008 wrote to memory of 1620	1008	7ACB.exe	7ACB.exe
PID 1220 wrote to memory of 1120	1220		E2C2.exe
PID 1220 wrote to memory of 1120	1220		E2C2.exe
PID 1220 wrote to memory of 1120	1220		E2C2.exe
PID 1220 wrote to memory of 1120	1220		E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1120 wrote to memory of 1312	1120	E2C2.exe	E2C2.exe
PID 1220 wrote to memory of 1452	1220		EABE.exe
PID 1220 wrote to memory of 1452	1220		EABE.exe
PID 1220 wrote to memory of 1452	1220		EABE.exe
PID 1220 wrote to memory of 1452	1220		EABE.exe
PID 1452 wrote to memory of 1960	1452	EABE.exe	cmd.exe
PID 1452 wrote to memory of 1960	1452	EABE.exe	cmd.exe
PID 1452 wrote to memory of 1960	1452	EABE.exe	cmd.exe
PID 1452 wrote to memory of 1960	1452	EABE.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\470affabeb66a60dc08c77d41f4956e3.exe
"C:\Users\Admin\AppData\Local\Temp\470affabeb66a60dc08c77d41f4956e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\470affabeb66a60dc08c77d41f4956e3.exe
"C:\Users\Admin\AppData\Local\Temp\470affabeb66a60dc08c77d41f4956e3.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:580

C:\Users\Admin\AppData\Local\Temp\7ACB.exe
C:\Users\Admin\AppData\Local\Temp\7ACB.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\7ACB.exe
C:\Users\Admin\AppData\Local\Temp\7ACB.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1620

C:\Users\Admin\AppData\Local\Temp\E2C2.exe
C:\Users\Admin\AppData\Local\Temp\E2C2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\E2C2.exe
C:\Users\Admin\AppData\Local\Temp\E2C2.exe
2⤵
- Executes dropped EXE
PID:1312

C:\Users\Admin\AppData\Local\Temp\EABE.exe
C:\Users\Admin\AppData\Local\Temp\EABE.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\NrSYUlNZRpg & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\EABE.exe"
2⤵
PID:1960

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1632

C:\Users\Admin\AppData\Local\Temp\F8C3.exe
C:\Users\Admin\AppData\Local\Temp\F8C3.exe
1⤵
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ACB.exe
MD5
470affabeb66a60dc08c77d41f4956e3

SHA1
bbf96c3e3863cea75523c6f127d82af3e3dca465

SHA256
8ffa24a981275d475221beac23988667f62a98a4ef19a420f9bb1fcd8a763340

SHA512
af5fbf727c5427240fa31168b78550f1b8ca02c81ab3a8c2f80adb98248ae2fe1a33996f16713dd9a4626f6fd996adf1624ddb752913cf29ba17dd1490fc6d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ACB.exe
MD5
470affabeb66a60dc08c77d41f4956e3

SHA1
bbf96c3e3863cea75523c6f127d82af3e3dca465

SHA256
8ffa24a981275d475221beac23988667f62a98a4ef19a420f9bb1fcd8a763340

SHA512
af5fbf727c5427240fa31168b78550f1b8ca02c81ab3a8c2f80adb98248ae2fe1a33996f16713dd9a4626f6fd996adf1624ddb752913cf29ba17dd1490fc6d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ACB.exe
MD5
470affabeb66a60dc08c77d41f4956e3

SHA1
bbf96c3e3863cea75523c6f127d82af3e3dca465

SHA256
8ffa24a981275d475221beac23988667f62a98a4ef19a420f9bb1fcd8a763340

SHA512
af5fbf727c5427240fa31168b78550f1b8ca02c81ab3a8c2f80adb98248ae2fe1a33996f16713dd9a4626f6fd996adf1624ddb752913cf29ba17dd1490fc6d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2C2.exe
MD5
45cf4ea0f9268e7306da20dea9d14210

SHA1
3574746d1d089f9989ee2c9e2048f014a61100ca

SHA256
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281

SHA512
3996f207a4973428f7ecb419f16fdafb7fa6213cb0a9a7b48405baae10f85a4a381664291f4c59d5c6bc7158335ca07944fb712dc7dc14a3a393f9af490dfe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2C2.exe
MD5
45cf4ea0f9268e7306da20dea9d14210

SHA1
3574746d1d089f9989ee2c9e2048f014a61100ca

SHA256
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281

SHA512
3996f207a4973428f7ecb419f16fdafb7fa6213cb0a9a7b48405baae10f85a4a381664291f4c59d5c6bc7158335ca07944fb712dc7dc14a3a393f9af490dfe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2C2.exe
MD5
45cf4ea0f9268e7306da20dea9d14210

SHA1
3574746d1d089f9989ee2c9e2048f014a61100ca

SHA256
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281

SHA512
3996f207a4973428f7ecb419f16fdafb7fa6213cb0a9a7b48405baae10f85a4a381664291f4c59d5c6bc7158335ca07944fb712dc7dc14a3a393f9af490dfe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EABE.exe
MD5
fc71c2d164001be39d809f049de99f85

SHA1
5931e9065c1c8300664946b368c4b016a9ab44dd

SHA256
3829114af6d1923729fc3bf0da3424acab9db3fbaf01abd826462e379b92c051

SHA512
7b8e157b660c05b772682a8b36743487db717405bbc8a934289d5113730784114e9bc147717cdaf28d7b0fff55b35d14be21cbad40b163b15137ba8377630113

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.exe
MD5
fb36771532cb4245e65423fcf9b640bc

SHA1
c4dc005c1554ecc7823e7aae2be9b9e2816f7b2b

SHA256
3f852231c1211ee964277a572ea769056978f841b73736f0d7eaab6944712342

SHA512
66cd1de873a91b5895c6e99d458392cd575b4547e22b1a6c4e558f8e271fc3b6521cf8fe8dad1b31cf02873e8119244262a2b077e979b8a7417192d4e6209c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C3.exe
MD5
dd10142a0459e54e7c5172646aa011a7

SHA1
ab47350cf2d43f88672a17253f8edf03d3bf5221

SHA256
6cf5ad146c2b126eb490d3220efc0f058bb68412308995c55480c2c9cd5163ea

SHA512
7db7dd08808c948ff54143c4c1a781c7bfb00f44a10a3ae3d75843c2e7eeb4e47f100bcd6634738099cee7ebb5fc80d228a74400b643784f04864cf5cbf3940d

Download Submit
\Users\Admin\AppData\Local\Temp\7ACB.exe
MD5
470affabeb66a60dc08c77d41f4956e3

SHA1
bbf96c3e3863cea75523c6f127d82af3e3dca465

SHA256
8ffa24a981275d475221beac23988667f62a98a4ef19a420f9bb1fcd8a763340

SHA512
af5fbf727c5427240fa31168b78550f1b8ca02c81ab3a8c2f80adb98248ae2fe1a33996f16713dd9a4626f6fd996adf1624ddb752913cf29ba17dd1490fc6d8a

Download Submit
\Users\Admin\AppData\Local\Temp\E2C2.exe
MD5
45cf4ea0f9268e7306da20dea9d14210

SHA1
3574746d1d089f9989ee2c9e2048f014a61100ca

SHA256
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281

SHA512
3996f207a4973428f7ecb419f16fdafb7fa6213cb0a9a7b48405baae10f85a4a381664291f4c59d5c6bc7158335ca07944fb712dc7dc14a3a393f9af490dfe6d

Download Submit
memory/580-57-0x0000000000402F47-mapping.dmp

Download
memory/580-58-0x0000000075A01000-0x0000000075A03000-memory.dmp

Filesize
8KB

Download
memory/580-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/768-59-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/768-55-0x00000000002AB000-0x00000000002B4000-memory.dmp

Filesize
36KB

Download
memory/1008-63-0x00000000005FB000-0x0000000000604000-memory.dmp

Filesize
36KB

Download
memory/1008-61-0x0000000000000000-mapping.dmp

Download
memory/1120-79-0x00000000002E0000-0x0000000000362000-memory.dmp

Filesize
520KB

Download
memory/1120-73-0x000000000057B000-0x00000000005EB000-memory.dmp

Filesize
448KB

Download
memory/1120-71-0x0000000000000000-mapping.dmp

Download
memory/1220-60-0x0000000002130000-0x0000000002146000-memory.dmp

Filesize
88KB

Download
memory/1220-70-0x00000000039B0000-0x00000000039C6000-memory.dmp

Filesize
88KB

Download
memory/1312-91-0x0000000000400000-0x0000000002BB9000-memory.dmp

Filesize
39.7MB

Download
memory/1312-76-0x0000000000400000-0x0000000002BB9000-memory.dmp

Filesize
39.7MB

Download
memory/1312-80-0x0000000000400000-0x0000000002BB9000-memory.dmp

Filesize
39.7MB

Download
memory/1312-83-0x0000000000400000-0x0000000002BB9000-memory.dmp

Filesize
39.7MB

Download
memory/1312-85-0x00000000003B0000-0x00000000003FF000-memory.dmp

Filesize
316KB

Download
memory/1312-86-0x0000000004350000-0x00000000043DF000-memory.dmp

Filesize
572KB

Download
memory/1312-77-0x0000000000401E7A-mapping.dmp

Download
memory/1452-87-0x000000000052B000-0x0000000000551000-memory.dmp

Filesize
152KB

Download
memory/1452-89-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/1452-90-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1452-81-0x0000000000000000-mapping.dmp

Download
memory/1620-67-0x0000000000402F47-mapping.dmp

Download
memory/1632-95-0x0000000000000000-mapping.dmp

Download
memory/1816-93-0x0000000000000000-mapping.dmp

Download
memory/1816-98-0x0000000074AA0000-0x0000000074AEA000-memory.dmp

Filesize
296KB

Download
memory/1816-99-0x0000000001000000-0x0000000001162000-memory.dmp

Filesize
1.4MB

Download
memory/1816-100-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1960-92-0x0000000000000000-mapping.dmp

Download