saintbot | ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9

General

Target

ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe
Size

223KB
MD5

893b17ed65ecffa8376063349f22d2bc
SHA1

50c556277899d6b9da5ec125c0a58650a14a08a7
SHA256

ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9
SHA512

e61a215547991592a204868a979ec513198a6ba192a692a97ccba352c427dc1721a433c0aaaa98107f2d91ae5d2b0aad57ea9ea86ca48a0d61b8a48ecef6b787
SSDEEP

3072:EwA6vAcT6agXrIISqRIYrCNrACDJi7kX9ne6uDxj5AiOhtSvLt2b:6cT6PXrI/qRIZrACGkX9niILtUt2b

Score

10^/10

saintbot discovery dropper persistence

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1708-2-0x00000000002A0000-0x00000000002A9000-memory.dmp	family_saintbot
behavioral1/memory/1708-3-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral1/memory/1708-23-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral1/memory/2880-27-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral1/memory/2880-31-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral1/memory/2428-33-0x00000000000C0000-0x00000000000CB000-memory.dmp	family_saintbot
behavioral1/memory/2428-35-0x00000000000C0000-0x00000000000CB000-memory.dmp	family_saintbot
behavioral1/memory/2428-36-0x00000000000C0000-0x00000000000CB000-memory.dmp	family_saintbot

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2588	cmd.exe

Drops startup file 2 IoCs

Processes:

ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe36123.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36123.exe	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36123.exe	36123.exe

Executes dropped EXE 1 IoCs

Processes:

36123.exe

pid	Process
2880	36123.exe

Loads dropped DLL 4 IoCs

Processes:

ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe36123.exeEhStorAuthn.exe

pid	Process
1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe
1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe
2880	36123.exe
2428	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

EhStorAuthn.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs"	EhStorAuthn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe36123.exeEhStorAuthn.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	36123.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	36123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	EhStorAuthn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe

Drops file in System32 directory 1 IoCs

Processes:

EhStorAuthn.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EhStorAuthn.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
280	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2596	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

36123.exe

pid	Process
2880	36123.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.execmd.exe36123.exeEhStorAuthn.exe

description	pid	Process	procid_target
PID 1708 wrote to memory of 2880	1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe	28
PID 1708 wrote to memory of 2880	1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe	28
PID 1708 wrote to memory of 2880	1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe	28
PID 1708 wrote to memory of 2880	1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe	28
PID 1708 wrote to memory of 2588	1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe	29
PID 1708 wrote to memory of 2588	1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe	29
PID 1708 wrote to memory of 2588	1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe	29
PID 1708 wrote to memory of 2588	1708	ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe	29
PID 2588 wrote to memory of 2596	2588	cmd.exe	31
PID 2588 wrote to memory of 2596	2588	cmd.exe	31
PID 2588 wrote to memory of 2596	2588	cmd.exe	31
PID 2588 wrote to memory of 2596	2588	cmd.exe	31
PID 2588 wrote to memory of 2536	2588	cmd.exe	32
PID 2588 wrote to memory of 2536	2588	cmd.exe	32
PID 2588 wrote to memory of 2536	2588	cmd.exe	32
PID 2588 wrote to memory of 2536	2588	cmd.exe	32
PID 2880 wrote to memory of 2428	2880	36123.exe	33
PID 2880 wrote to memory of 2428	2880	36123.exe	33
PID 2880 wrote to memory of 2428	2880	36123.exe	33
PID 2880 wrote to memory of 2428	2880	36123.exe	33
PID 2880 wrote to memory of 2428	2880	36123.exe	33
PID 2428 wrote to memory of 280	2428	EhStorAuthn.exe	36
PID 2428 wrote to memory of 280	2428	EhStorAuthn.exe	36
PID 2428 wrote to memory of 280	2428	EhStorAuthn.exe	36
PID 2428 wrote to memory of 280	2428	EhStorAuthn.exe	36

C:\Users\Admin\AppData\Local\Temp\ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe
"C:\Users\Admin\AppData\Local\Temp\ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36123.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36123.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
      4⤵
      Creates scheduled task(s)
      PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat

Filesize
170B

MD5
edeb4e96ab314325f9e21b3d93ade5e0

SHA1
493ed4eb1f39091e7085e74f9fc89771c8bbf587

SHA256
b69cb84ef4f94024328d6580ba44ff73d73c3a3bbc8a8a008333659da8688b61

SHA512
a0064dd4ff326a48a1388524b154c5469522b21a3ef62505e0967ac77030dadc7d02bbdce4dd1a66439e16bd07e298db1aa33f133c674366f405c0016a0dce01

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36123.exe

Filesize
223KB

MD5
893b17ed65ecffa8376063349f22d2bc

SHA1
50c556277899d6b9da5ec125c0a58650a14a08a7

SHA256
ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9

SHA512
e61a215547991592a204868a979ec513198a6ba192a692a97ccba352c427dc1721a433c0aaaa98107f2d91ae5d2b0aad57ea9ea86ca48a0d61b8a48ecef6b787

Download Submit
memory/1708-1-0x0000000002C20000-0x0000000002D20000-memory.dmp

Filesize
1024KB

Download
memory/1708-3-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/1708-23-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/1708-2-0x00000000002A0000-0x00000000002A9000-memory.dmp

Filesize
36KB

Download
memory/2428-33-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2428-36-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2428-35-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2880-26-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2880-31-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/2880-27-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads