cryptbot

Resubmissions

10-04-2024 04:40

240410-fa2mesgd4v 10

09-04-2024 17:09

240409-vpkd1sdb73 10

Sharing

Copy URL

Twitter E-mail

General

Target

ea7d5de7982f0a08bff6d8e6f17cf664_JaffaCakes118
Size

4.0MB
Sample

240410-fa2mesgd4v
MD5

ea7d5de7982f0a08bff6d8e6f17cf664
SHA1

68c86999e908f4c8e362c2591fd4c8e5907e6410
SHA256

ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77
SHA512

71a6684cb0d6007261eb81ef4936d2233971d501983b4e70a55143458a8581f615bd83208edc09c75ee9552318506ccfe44a7842d26bbcc31334c103a61face6
SSDEEP

98304:y1jCOwXLeMP+g2GQ0Y/zDQoKMN3lk60fi+Lw6A:y1jCOwqQ+RGGPVBNOhLw6A

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.171/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.185

Extracted

Family

redline

Botnet

pab3

185.215.113.15:61506

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

cryptbot

knurxh28.top

moraku02.top

Attributes

payload_url
http://sargym03.top/download.php?file=lv.exe

Targets

- Target
  
  ea7d5de7982f0a08bff6d8e6f17cf664_JaffaCakes118
- Size
  
  4.0MB
- MD5
  
  ea7d5de7982f0a08bff6d8e6f17cf664
- SHA1
  
  68c86999e908f4c8e362c2591fd4c8e5907e6410
- SHA256
  
  ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77
- SHA512
  
  71a6684cb0d6007261eb81ef4936d2233971d501983b4e70a55143458a8581f615bd83208edc09c75ee9552318506ccfe44a7842d26bbcc31334c103a61face6
- SSDEEP
  
  98304:y1jCOwXLeMP+g2GQ0Y/zDQoKMN3lk60fi+Lw6A:y1jCOwqQ+RGGPVBNOhLw6A
Score

10^/10

cryptbot nullmixer redline sectoprat smokeloader vidar 706 pab3 pub6 aspackv2 backdoor discovery dropper infostealer loader persistence rat spyware stealer trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot payload
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  3.9MB
- MD5
  
  7ae4349cc7e8c98084c05e2085b56645
- SHA1
  
  db7a339d5731471435450be094ba711ca7194685
- SHA256
  
  b89fdf606986324fa9260f434dc1561d716985d0886fba180b88f3afb9dec729
- SHA512
  
  5196ac4aa9ca69c342fa5a391f011881db608600cbfbfb4ae1391477ec59aa83846c955ed73573a09828b7b574a5a0b07e19871245ac19518c03480b9fc8ec3d
- SSDEEP
  
  98304:xaCvLUBsgxkKH8DBAPbT7J7go2i2JjQCQ+gHhjPrLi:x7LUCgSKH84zGo2i2Jc1BHi
Score

10^/10

cryptbot nullmixer redline sectoprat smokeloader vidar 706 pab3 pub6 aspackv2 backdoor discovery dropper infostealer loader persistence rat spyware stealer trojan
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot payload
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

CryptBot payload

NullMixer

PrivateLoader

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

Vidar

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

CryptBot

CryptBot payload

NullMixer

PrivateLoader

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

Vidar

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4