cryptbot | 57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999

Analysis

max time kernel
0s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15eb5a44613074dee64d6f25eceb66be.exe
Size

3.4MB
MD5

15eb5a44613074dee64d6f25eceb66be
SHA1

a414befb2fdf6c508d4936f723f8b142828b2b16
SHA256

57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999
SHA512

e749bfd0ccb846547bf2759b6c39515caded7103fb5197059f60321ba26dfc367f9e69f2b7f889173b330ee5342ff94a4b6aec69aee9cedf9eb040dbbafc27a4
SSDEEP

98304:xwCvLUBsgQPoIXHs02aorqdKmUzKDwXQXKV9fV:xNLUCgeoIXM0R3nUz8wrPfV

Score

10^/10

cryptbot nullmixer redline sectoprat smokeloader vidar 706 pab3 pub6 backdoor dropper infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

pab3

185.215.113.15:61506

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

cryptbot

knudqw18.top

morzku01.top

Attributes

payload_url
http://saryek01.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

resource	yara_rule
behavioral1/memory/648-289-0x0000000003D80000-0x0000000003E23000-memory.dmp	family_cryptbot
behavioral1/memory/648-301-0x0000000003D80000-0x0000000003E23000-memory.dmp	family_cryptbot
behavioral1/memory/648-300-0x0000000003D80000-0x0000000003E23000-memory.dmp	family_cryptbot
behavioral1/memory/648-299-0x0000000003D80000-0x0000000003E23000-memory.dmp	family_cryptbot
behavioral1/memory/648-387-0x0000000003D80000-0x0000000003E23000-memory.dmp	family_cryptbot
behavioral1/memory/648-622-0x0000000003D80000-0x0000000003E23000-memory.dmp	family_cryptbot

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/1568-140-0x00000000047C0000-0x00000000047E2000-memory.dmp	family_redline
behavioral1/memory/1568-144-0x0000000004D90000-0x0000000004DB0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1568-140-0x00000000047C0000-0x00000000047E2000-memory.dmp	family_sectoprat
behavioral1/memory/1568-144-0x0000000004D90000-0x0000000004DB0000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/1564-134-0x0000000004590000-0x000000000462D000-memory.dmp	family_vidar
behavioral1/memory/1564-147-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar
behavioral1/memory/1568-119-0x0000000003120000-0x0000000003220000-memory.dmp	family_vidar
behavioral1/memory/1564-309-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar
behavioral1/memory/1564-380-0x0000000004590000-0x000000000462D000-memory.dmp	family_vidar

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1236	2828	WerFault.exe
1848	1564	WerFault.exe	31

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2528	PING.EXE

C:\Users\Admin\AppData\Local\Temp\15eb5a44613074dee64d6f25eceb66be.exe
"C:\Users\Admin\AppData\Local\Temp\15eb5a44613074dee64d6f25eceb66be.exe"
1⤵
PID:2268
- C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\setup_install.exe"
  2⤵
  PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue021e08b886995.exe
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue021e08b886995.exe
  Tue021e08b886995.exe
  2⤵
  PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
PID:572
- C:\Windows\SysWOW64\findstr.exe
  findstr /V /R "^aXXPLdOdpKvHEwwcALYIInWmgGDtBFsVVodqfjpjFmFfheNjFpLslXxTwbAyMJPDzALcKwugCMepSGkjSsms$" Suoi.xlam
  2⤵
  PID:584
- C:\Windows\SysWOW64\PING.EXE
  ping CALKHSYM -n 30
  2⤵
  - Runs ping.exe
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com
  Talune.exe.com K
  2⤵
  PID:1744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com K
1⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Conservava.xlam
1⤵
PID:2064

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
1⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue025ccbbdb1799f42b.exe
Tue025ccbbdb1799f42b.exe
1⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue021b99042c7.exe
Tue021b99042c7.exe
1⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue02693e04f014707bc.exe
Tue02693e04f014707bc.exe
1⤵
PID:1564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 940
  2⤵
  - Program crash
  PID:1848

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue02ef36b3f1289c5.exe
Tue02ef36b3f1289c5.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue027536c4694d45.exe
Tue027536c4694d45.exe
1⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue022b0c9446.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue022b0c9446.exe" -a
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue0237249404942fe.exe
Tue0237249404942fe.exe
1⤵
PID:2416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue022a930da16b.exe
Tue022a930da16b.exe
1⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue027536c4694d45.exe
1⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue025ccbbdb1799f42b.exe
1⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue0237249404942fe.exe
1⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\Tue022b0c9446.exe
Tue022b0c9446.exe
1⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue02ef36b3f1289c5.exe
1⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue02693e04f014707bc.exe
1⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue022a930da16b.exe
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 432
1⤵
- Program crash
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue021b99042c7.exe
1⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue022b0c9446.exe
1⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7zSCD8C5F06\setup_install.exe

Filesize
92KB

MD5
15b744dda515cebaf7c8761f6beb9323

SHA1
890947d8e2b078b67b62d9c1d08770bfc7ef3c17

SHA256
91cf68352b0edfd2ca67084d83cc44cf100f1a4273566326e076c83abd5daed5

SHA512
c4add4f8d0ddeb607270df27c05a887a4724946b01032e5ae56d5d1046a527ce19f8b84a6bae1be0cde62ffcd3d26e1f5ff914853f9fee6b6721f338fe0d2b53

Download Submit
memory/648-299-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/648-622-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/648-387-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/648-246-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/648-245-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/648-244-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/648-289-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/648-301-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/648-300-0x0000000003D80000-0x0000000003E23000-memory.dmp

Filesize
652KB

Download
memory/1096-163-0x0000000003070000-0x0000000003086000-memory.dmp

Filesize
88KB

Download
memory/1564-133-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/1564-147-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/1564-309-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/1564-134-0x0000000004590000-0x000000000462D000-memory.dmp

Filesize
628KB

Download
memory/1564-379-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/1564-380-0x0000000004590000-0x000000000462D000-memory.dmp

Filesize
628KB

Download
memory/1568-155-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/1568-140-0x00000000047C0000-0x00000000047E2000-memory.dmp

Filesize
136KB

Download
memory/1568-154-0x0000000007690000-0x00000000076D0000-memory.dmp

Filesize
256KB

Download
memory/1568-378-0x0000000003120000-0x0000000003220000-memory.dmp

Filesize
1024KB

Download
memory/1568-144-0x0000000004D90000-0x0000000004DB0000-memory.dmp

Filesize
128KB

Download
memory/1568-122-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/1568-119-0x0000000003120000-0x0000000003220000-memory.dmp

Filesize
1024KB

Download
memory/1568-385-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/1796-151-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/1796-152-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/1796-150-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/1796-164-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2416-153-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-256-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-135-0x0000000000040000-0x0000000000064000-memory.dmp

Filesize
144KB

Download
memory/2416-143-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/2416-149-0x000000001AEB0000-0x000000001AF30000-memory.dmp

Filesize
512KB

Download
memory/2436-146-0x0000000072E00000-0x00000000733AB000-memory.dmp

Filesize
5.7MB

Download
memory/2452-381-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2452-148-0x00000000010F0000-0x0000000001170000-memory.dmp

Filesize
512KB

Download
memory/2452-145-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2452-132-0x00000000012F0000-0x00000000012F8000-memory.dmp

Filesize
32KB

Download
memory/2452-386-0x00000000010F0000-0x0000000001170000-memory.dmp

Filesize
512KB

Download
memory/2828-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2828-304-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2828-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2828-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2828-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2828-303-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2828-305-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2828-306-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2828-307-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2828-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2828-302-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2828-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2828-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2828-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2828-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2828-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2828-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2828-60-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2828-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2828-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads