cryptbot

General

Target

99281465e23f346ffec5c0dd3964a053
Size

2.4MB
Sample

240213-l8xn1sfc5t
MD5

99281465e23f346ffec5c0dd3964a053
SHA1

d40d5f1f00f9ac49762f6d40a1f7e0102f9e2590
SHA256

450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
SHA512

70aed0a5252c06afc4bb559a85d52b8836490dbfcb98b0066ac38c5ff68ddb22e9bfe5d4489716693fe7b4a129f493ef5c736db1ee607e76b0f2374c1420a016
SSDEEP

49152:9g//MbAdFB0t7G6GE9DruSaMR/Emz+Q5Zv894VOrB4+L12hKynFoFZvBrWwb1:y3Jz6D9GjUzBE4wiYo4pZvJ1

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

redline

Botnet

pab3

C2

185.215.113.15:61506

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

cryptbot

C2

lysuht78.top

morisc07.top

Attributes

payload_url
http://damysa10.top/download.php?file=lv.exe

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Targets

- Target
  
  99281465e23f346ffec5c0dd3964a053
- Size
  
  2.4MB
- MD5
  
  99281465e23f346ffec5c0dd3964a053
- SHA1
  
  d40d5f1f00f9ac49762f6d40a1f7e0102f9e2590
- SHA256
  
  450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
- SHA512
  
  70aed0a5252c06afc4bb559a85d52b8836490dbfcb98b0066ac38c5ff68ddb22e9bfe5d4489716693fe7b4a129f493ef5c736db1ee607e76b0f2374c1420a016
- SSDEEP
  
  49152:9g//MbAdFB0t7G6GE9DruSaMR/Emz+Q5Zv894VOrB4+L12hKynFoFZvBrWwb1:y3Jz6D9GjUzBE4wiYo4pZvJ1
Score

10^/10

cryptbot nullmixer privateloader redline sectoprat smokeloader vidar 706 pab3 pub5 aspackv2 backdoor discovery dropper infostealer loader rat spyware stealer trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot payload
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  2.4MB
- MD5
  
  a8149197e0b87186f49ea0654f2e001d
- SHA1
  
  b3ae3f94bf3ce63dcd97aba465694d6233bcff35
- SHA256
  
  820285daf1ef245e93262a0a5e87c515c9233b0d9d95b2fe56b53f93031ae765
- SHA512
  
  e314edd8a5331a558164bdde272fc67251c5db7f9dd22eb648a6036c4737e4701ae9a86f00f9944f8089b6a5c93f37f6f719a26f09cc334366bd7a44fe89b81e
- SSDEEP
  
  49152:xcBGEwJ84vLRaBtIl9mV4jJm4KlaREI4/toRhV+acKwF+fPA5:xwCvLUBsgqJmWR+/uxGKMSo5
Score

10^/10

cryptbot nullmixer privateloader redline sectoprat smokeloader vidar 706 pab3 pub5 aspackv2 backdoor discovery dropper infostealer loader rat spyware stealer trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot payload
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4