cryptbot

Sharing

Copy URL

Twitter E-mail

General

Target

Random file mystery pot Suprise.zip
Size

7.8MB
Sample

231220-b48wdafacn
MD5

4304c66e786cd42c4bb09c6f6766fe49
SHA1

e48d47e5e689ef4dcb73e278b9b6be0407cf2147
SHA256

052e54df0b86483f84bbff6504e202c36e7bc25885e369e830dd7086fb7c7562
SHA512

711b5e410f283a64887e6e2857967a905a9ddc9762bf974b228c3ef951fa475bed3c0ea23fd4cdadfcac6e54e59cba9b5a87ab0d32401242d90024a174bf3812
SSDEEP

196608:NhViVR5xBwoRAmd60/n1pn5OOiS+WV7ytaNVW/0WDqC:N7idwO80fvLW0Wj

Malware Config

Extracted

Family

redline

Botnet

@esaymane

91.142.79.218:26878

Attributes

auth_value
78723e767811c55bea193f76621d6be1

Extracted

Family

predatorstealer

http://193.142.59.66/L9/

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://bratiop.ru/asdfg.exe

exe.dropper

http://bratiop.ru/asdfg.exe

Targets

- Target
  
  076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29.exe
- Size
  
  5.4MB
- MD5
  
  fbbeef748d1a778d15265c1b78a0f5f2
- SHA1
  
  d81baf14bf5d2f017a1a7bfd9e75d03ca7621b8a
- SHA256
  
  076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29
- SHA512
  
  dceb3004fb5018552d26051e32ebdbf9aa85e62f0ef14d7897e797e2bbc6b12381ce320b53361f199c6e24fef0d7a37ce96899357c9165a815d79045e7d78c2a
- SSDEEP
  
  49152:rpQDkXmuSP9y8X1hMUR/kMC3WpP7MqRyBxpt+yyQ6ihi04raAWK3+M2lkXy1YweG:
Score

10^/10

xmrig miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
- Size
  
  210KB
- MD5
  
  8e84fa4f3e50e2bdc357c348b923a8b4
- SHA1
  
  8ccc6b05df9cd2ab9275e2848a997176b3cd41c8
- SHA256
  
  0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
- SHA512
  
  cab0b936c6834068a94d55a7c3172b3b27766ddd41d5422ec2e4b1f2c0f39fa12f1258c4dc5483f061b635976ce398b91d274fbab812b64657ea3eb06e5dc81c
- SSDEEP
  
  3072:NWEv+PTBTYm7BsOzKSU2pr1RJoutgYdNC1W:NWEvMlTb7GyrLJoShdNn
Score

10^/10

rhadamanthys zgrat rat stealer upx
- Detect ZGRat V1
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
- Size
  
  305KB
- MD5
  
  4309f4b4bb455f998d1fdf310cd83484
- SHA1
  
  4ee10072d4dff28efcd64d8dcd631760868d644b
- SHA256
  
  131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1
- SHA512
  
  3d730ec6e3b385a69fa62634f4776e98327bc8f5da6330b109d3de5b37339dcb97cf9bf489c548de23f6ff71b115e921d5179cf2606eba61783851462ba807bf
- SSDEEP
  
  6144:zWmk/wokUNpuDoAVUx99rpABXHxjdgwJids6m+8suhyiP:NswuNpQv299rpAVHxJgw0dsp+dTiP
Score

10^/10

cryptbot spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
behavioral3
- Target
  
  1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd.exe
- Size
  
  262KB
- MD5
  
  19fc87c57a679a0d13237b98b5238494
- SHA1
  
  225b2955c3ef066629dfe2a6f70e6f685d361cbb
- SHA256
  
  1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd
- SHA512
  
  25802228b2ce71d52de9436ae465b79731bfe10142c22b3fb9618420c3fdf9b917a73426b3b22831f009a5db85276237d14146cfbc5cf41eaacf324f432a983e
- SSDEEP
  
  3072:DHWR0eTZb0s2XCO6bi9Syoe3e5MbrfgDDRIWG7Oh5y9iFzCgfsDr18IPoyvbOQ87:ovWo+eErfSB8qWz6IwyvhAthNYfsY
Score

10^/10

redline zgrat infostealer rat
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
behavioral4
- Target
  
  30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030.exe
- Size
  
  541KB
- MD5
  
  3f4dea6e7b8ccf697d2936176954b390
- SHA1
  
  4b34af92af1e22a6ec47ac36dc4b5bb5d743e01d
- SHA256
  
  30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030
- SHA512
  
  e6d5c74048d2510a9ed8dc253158a1f531d61492832238b1c2f5c7c857da57008af1f8d3cd34d5b3077f307c1d42d61f36fd47e40567323d5cd4552fdc46256d
- SSDEEP
  
  12288:jmWfpP7y6eXLpjblm8wrDGXnPD5pIvJwpTrvX2Hn4Zuc374hotEwOu3LE:jmUh+LLpjblm8eDGXnPD5pIRSDXkg8io
Score

10^/10

shurk infostealer spyware stealer
- Shurk
  Shurk is an infostealer, written in C++ which appeared in 2021.
  infostealer shurk
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5
- Target
  
  41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
- Size
  
  815KB
- MD5
  
  706368098593b234bde3727366651281
- SHA1
  
  81a56cd69bf00ec1fd79543423c59d5ce16c1a45
- SHA256
  
  41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5
- SHA512
  
  b1ba031351ec99df11f511ede7257ee4aa9b43472532d1d3e6ff36101b7f489a11fa356421759d08a83f663877b09029f15ccce25501e51e489429a1f0aece60
- SSDEEP
  
  24576:em8RI+emRlQIjDlzzTlQ8LmcEd40X0zjnXU9PR1t7drlSpnHuGE5:bzghxO
Score

10^/10

kutaki keylogger stealer
- Kutaki
  Information stealer and keylogger that hides inside legitimate Visual Basic applications.
  stealer keylogger kutaki
- Kutaki Executable
- Drops startup file
- Executes dropped EXE
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral6
- Target
  
  5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f.exe
- Size
  
  101KB
- MD5
  
  5b77966a255cfa2e01887717058ef272
- SHA1
  
  7bce007c34add6b16a0bb594cbcde285aed0ac74
- SHA256
  
  5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f
- SHA512
  
  011367d48ea5bbfb63edae20e4051de9ca32623fbff91d315c1067ab6fb31863f15338d50b07ad2117c55b6e0b0ecedfba42970782752f75723e9f9db3c3819a
- SSDEEP
  
  1536:0LFRFRFRFwmRHuEkibZnFXTeaXm0cob6KxQOb9sH8kChRpVwSMTFwdHHtVqoyyt4:u3PX6aW0coPRsqPNMTCnLqyBy9tF9
Score

1^/10
behavioral7
- Target
  
  630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
- Size
  
  278KB
- MD5
  
  66a3124fe4ed45fae20e2bd4ee33c626
- SHA1
  
  fc5ef4caf4d8a51a340f6fd98ac525debcff8f30
- SHA256
  
  630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad
- SHA512
  
  569bc064f465c32fd11fdd67896106778f13094e20adc739d8824f9e02508701b712bd3cfdab48782421b35acebe16bb5b0e97543db869ecaec5c1b87902b872
- SSDEEP
  
  6144:sU0sd0bzy1GOgofaePZ3e5fv+vc6X+olz:XzHGOgovPwcXbl
Score

10^/10

predatorstealer collection persistence spyware stealer
- PredatorStealer
  Predator is a modular stealer written in C#.
  stealer predatorstealer
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673.exe
- Size
  
  223KB
- MD5
  
  405bb24ade435693b11af1d81e2bb279
- SHA1
  
  2584f1119c65ffd0936e2916b285389404b942c9
- SHA256
  
  651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673
- SHA512
  
  b23649b9c7f86dd5a5cd18caa7c33072639f3f43f68131e6aa3b02de8267fb8891090e524d238244f87737167e09b89a4704d30b8973e1b742db08abb0783a32
- SSDEEP
  
  6144:voIzJOivKYT1+LdCWc9mhxG/ZfZHcr8qr:3vH1EjxGxfC
Score

1^/10
behavioral9
- Target
  
  677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58.exe
- Size
  
  113KB
- MD5
  
  37048e548f18aba300bafd7822296928
- SHA1
  
  40a258430ebe9297db33a248566a89e163286f3c
- SHA256
  
  677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58
- SHA512
  
  625b3b4615ae9bd6676bdb67059e0208d6785dc7e165f65386ab3c315c577df8fecf711ed95179f7bce9c41b9e2a90192aa8bca6922702ff2792ab92160b8a57
- SSDEEP
  
  1536:4FHdbTaUxSClJgXZhIHqlHrJRIDbMuL63gFvyTFdAnYPrzGEiZRC7U:4ZdqWSCUZhI0+q3g1ypCuHBkRC7U
Score

10^/10

redline sectoprat @esaymane infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
behavioral10
- Target
  
  7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb.exe
- Size
  
  381KB
- MD5
  
  db78b6b4e4ace66632b1b7d746f1d716
- SHA1
  
  8e2c19b9247bb799a2f0191af144cdf2e85db099
- SHA256
  
  7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb
- SHA512
  
  957ec989a52790550c15b030d0352baf714e36e9c5956eed6d9626b046a59b1bcf30d5bc283eb72c692df7494e8ecf8a1e0d3aea922118f52edcbf9f90879df1
- SSDEEP
  
  6144:8qprONykLCWtRm2YXSO6UBN+k2LaAa4TbuS0TLCK:LpaNyk2WHm2u2U8aAa4T6SECK
Score

3^/10
behavioral11
- Target
  
  817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db.exe
- Size
  
  2.6MB
- MD5
  
  fea3a5c2bafa878b95e7084b5a5cb192
- SHA1
  
  bc2bd62464ab420e677753ada67f3bb345cf5080
- SHA256
  
  817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db
- SHA512
  
  00d281f0d02619afa27e29faa8cd80ef48a449628308baa31c239c4930a8f3c031dadbb95ba194c3b0e00dba95a33ddd6715991ba9ab4a2daf06b430915c513a
- SSDEEP
  
  49152:sVSjcGsSEt3UQjAuD5Pa8G/5Dh+TNbtFs98e:sVYcwOJP67a
Score

8^/10
- Blocklisted process makes network request
behavioral12
- Target
  
  a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142.exe
- Size
  
  101KB
- MD5
  
  9618523352c980cc2fdb2533e16d7b08
- SHA1
  
  c518747935e16bfa8b7e8bedb38fc37d7afa386d
- SHA256
  
  a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142
- SHA512
  
  cb68601b5f3a808b6a8a2f90b386293ba21b13ac15981ea20abd03324f2d6cb1922b2425d5fa4b66a0ab5603843dc73ee14b62c1f8206bd58569a0441a097551
- SSDEEP
  
  1536:8uxpMqqU+NV2I8ShQEBpFiAVMS4O8gOkfDiGyIUt39p3VbWL8:8iMqqDLn8SuUKIMS42fDiGyIW9dVo8
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral13
- Target
  
  b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
- Size
  
  256KB
- MD5
  
  18d05e20731583a22b495d0d1f107c5b
- SHA1
  
  2ced0e3577063ca3613b43661e7df5bc1411ab09
- SHA256
  
  b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
- SHA512
  
  36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a
- SSDEEP
  
  3072:Cf1BDZ0kVB67Duw9AMcb6FKglbz5107+i9CUVx/kvBFi4lBV5AfeNNu0NiF:C9X0GT6FKgpF107+iNDG5l5AfeNpNs
Score

10^/10

xmrig miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.exe
- Size
  
  252KB
- MD5
  
  7ee76614ffebd297cabed708980cec45
- SHA1
  
  64ffe23df18cd51e287fc650e871601e5cf22e01
- SHA256
  
  f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d
- SHA512
  
  d07fdb7e5c914f5dc1b24448c06b12b84636259abfc686dd2440375c3877e5769ad196a9934293d3723009292f837efd98fb123c823fd77a0dae8592a02f1d41
- SSDEEP
  
  3072:1En24jTXQKXWhFby1OdlyP8fmgvI7mgnkzR4gMzMXamrL7hybkRYW5:1ERjrQKX2rlDtIyskzCPzMKmM7
Score

10^/10

predatorstealer collection persistence spyware stealer
- PredatorStealer
  Predator is a modular stealer written in C#.
  stealer predatorstealer
- CoreCCC Packer
  Detects CoreCCC packer used to load .NET malware.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
- Size
  
  1.2MB
- MD5
  
  03fa2aa90ad1ce098de68893d83f701d
- SHA1
  
  915306065ac728701614ed4fe03a03168d95bb84
- SHA256
  
  f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1
- SHA512
  
  db96240a0f996b82ce29e9c0d3da50fd5c26a4cc799ad85e8cc362e6f931fee643a6f3dc452f8000b38f0e4969b8181b51225ccf749c17febbb3afd15d3deac4
- SSDEEP
  
  12288:e5EzeaAcdXmZM1KNrtTCXSnny5doEqXfei/ElljPFnF42s2Bx0teS:0244/gPHoIuS
Score

7^/10

persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Scheduled Task/Job

T1053

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

xmrig

XMRig Miner payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Detect ZGRat V1

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Suspicious use of SetThreadContext

Detect ZGRat V1

RedLine

RedLine payload

ZGRat

Shurk

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Kutaki

Kutaki Executable

Drops startup file

Executes dropped EXE

Maps connected drives based on registry

PredatorStealer

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Blocklisted process makes network request

Reads user/profile data of web browsers

xmrig

XMRig Miner payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

PredatorStealer

CoreCCC Packer

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Adds Run key to start application

Enumerates connected drives

Suspicious use of SetThreadContext

Executes dropped EXE

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15