cryptbot

General

Target

JaffaCakes118_2f8eb2e173c93dae1ddd17031ee8aa0e
Size

5.8MB
Sample

250106-vjv9bssjd1
MD5

2f8eb2e173c93dae1ddd17031ee8aa0e
SHA1

9f79361ac3b2d4eae624b8a0c5edf060e4c8d2ff
SHA256

365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
SHA512

018b520f99154bb496ebce3bd7aecb6978608689ddf36444e60d47a547b55d07c03b2789243a27c5516e5fd930a20e5bade69ff72db5afa040b04205493b20cb
SSDEEP

98304:yo+BLKm54bo+f1XhdeQ9jVRUgwuZnQtgmqQI81pPQ92RSM6r+rNnYi:yo+ZKmqo4rLfUpuWJI81pqnQyi

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

cryptbot

C2

lysuht78.top

morisc07.top

Attributes

payload_url
http://damysa10.top/download.php?file=lv.exe

Targets

- Target
  
  JaffaCakes118_2f8eb2e173c93dae1ddd17031ee8aa0e
- Size
  
  5.8MB
- MD5
  
  2f8eb2e173c93dae1ddd17031ee8aa0e
- SHA1
  
  9f79361ac3b2d4eae624b8a0c5edf060e4c8d2ff
- SHA256
  
  365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
- SHA512
  
  018b520f99154bb496ebce3bd7aecb6978608689ddf36444e60d47a547b55d07c03b2789243a27c5516e5fd930a20e5bade69ff72db5afa040b04205493b20cb
- SSDEEP
  
  98304:yo+BLKm54bo+f1XhdeQ9jVRUgwuZnQtgmqQI81pPQ92RSM6r+rNnYi:yo+ZKmqo4rLfUpuWJI81pqnQyi
Score

10^/10

cryptbot nullmixer privateloader vidar aspackv2 discovery dropper evasion execution loader spyware stealer themida trojan
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot payload
- Cryptbot family
  cryptbot
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  5.7MB
- MD5
  
  fc9162ddfff7da3cb4803548b6e660fc
- SHA1
  
  cf432e387ea0e74dda16707bd89d5569ac652783
- SHA256
  
  466ee2d5941bdc11323d6621225a59df9b8199d2ab95febdcc650213cb1523c6
- SHA512
  
  a40181bd048df6b10c6825b2ca7b21c9b3635df3ef695776956664933e806283041e27de6e652ac13ba20a1c1f27b5ad577542d8af136e69ae1577a8eacf9347
- SSDEEP
  
  98304:xWCvLUBsgnBSXBPFPP1eRahv4e3pol8xT/aO9PzFO/1dxpVWzpJFdb5IInhyThb/:xfLUCgBQB9P9B5Jn/aQMrxpkzpJfq0hA
Score

10^/10

cryptbot nullmixer privateloader vidar aspackv2 discovery dropper evasion execution loader spyware stealer themida trojan
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- CryptBot payload
- Cryptbot family
  cryptbot
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4