saintbot | db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe
Size

234KB
MD5

abc87856247dea1e4d01e2c3b352ab77
SHA1

fa48ec02991837bd7ce2248a130da934ec6555ad
SHA256

db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34
SHA512

1219caf42a89b119e30580f80373b3795181938f5e6196a0f0249de6212dd9f24c1dee9300d19a04078d73743b4036d368a8a3066fac8ae068f973e545e106b6
SSDEEP

3072:JIWl+LIyTYPc4cW/QgB3JibTVLHvFKFb83yFe0L2ItrOmY5S:JI/LIGYp/xB49vFK6Se0LRhX

Score

10^/10

saintbot dropper

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 2 IoCs

resource	yara_rule
behavioral1/memory/2136-11-0x0000000000400000-0x0000000000A14000-memory.dmp	family_saintbot
behavioral1/memory/2136-9-0x0000000000220000-0x0000000000229000-memory.dmp	family_saintbot

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2636	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3056	2136	db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe	27
PID 2136 wrote to memory of 3056	2136	db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe	27
PID 2136 wrote to memory of 3056	2136	db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe	27
PID 2136 wrote to memory of 3056	2136	db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe	27
PID 3056 wrote to memory of 2636	3056	cmd.exe	29
PID 3056 wrote to memory of 2636	3056	cmd.exe	29
PID 3056 wrote to memory of 2636	3056	cmd.exe	29
PID 3056 wrote to memory of 2636	3056	cmd.exe	29
PID 3056 wrote to memory of 2936	3056	cmd.exe	30
PID 3056 wrote to memory of 2936	3056	cmd.exe	30
PID 3056 wrote to memory of 2936	3056	cmd.exe	30
PID 3056 wrote to memory of 2936	3056	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe
"C:\Users\Admin\AppData\Local\Temp\db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\del.bat

Filesize
170B

MD5
ff3d24040fd8c570a201858ec3cc0cfd

SHA1
5a138ce6bee17581234ed625c8dd97c11cd4d331

SHA256
5851cc2a43b5563742a9f7321a8fa5db43f3e241b0a9feb268de83eeed6fc594

SHA512
e25e9c6ffb51093cc24c3f3837a212cfa19bf938b459ce59eb965c98e3d7c0972d080f532a4b95076b73e9c152d665d41df8aefbb784eb3e4e93f81d01f07e70

Download Submit
memory/2136-7-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

Filesize
1024KB

Download
memory/2136-11-0x0000000000400000-0x0000000000A14000-memory.dmp

Filesize
6.1MB

Download
memory/2136-9-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download