Scrubcrypt

Malware Profile Updated 8 days ago
Download STIX
Preview STIX
ScrubCrypt is a sophisticated malware that has been identified as a significant threat in the cybersecurity landscape. It operates as part of an intricate system of harmful software, including VenomRAT and various malicious plugins, designed to exploit and damage computer systems. The malware infiltrates devices through deceptive downloads, emails, or websites, often unbeknownst to the user. Once inside, ScrubCrypt can disrupt operations, steal personal data, or even hold user data hostage for ransom. This harmful program was acknowledged by the developers of other notable malware such as Jlaive, BatCloak, CryBat, Exe2Bat, and social media distributors on the SeroXen website. Key to its operation, the "pointer.cmd" file serves as the ScrubCrypt batch file, which decrypts payloads from the malware. Additionally, ScrubCrypt's .NET file loads Remcos from resource data labeled "P", and the Guloader PowerShell handles the configuration for Remcos. This configuration is RC4 encrypted in the "SETTINGS" resource, with the decrypted data shown in subsequent stages of the malware's execution. This complex process highlights the advanced nature of the malware and its potential to cause significant harm. ScrubCrypt is notably used to drop VenomRAT along with numerous malicious plugins, as reported by multiple sources. This plugin was distributed from VenomRAT's C2 using three methods: an obfuscated VBS script named "remcos.vbs", ScrubCrypt itself, and Guloader PowerShell. Furthermore, ScrubCrypt is part of a broader suite of obfuscation projects, including CryBat, Exe2Bat, and SeroXen. Its development and deployment are indicative of a larger trend in the malware industry towards more sophisticated and multi-faceted threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Batcloak
3
BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository
Jlaive
2
Jlaive is a malware that began circulating in 2022, primarily known for its obfuscation algorithm powered by the BatCloak engine. The malware was designed to evade antivirus software by converting executables into undetectable batch files. The creator, identified as ch2sh, made significant contribut
Seroxen
2
SeroXen is a potent malware that has been discovered in malicious NuGet packages, infecting developer systems. The Remote Access Trojan (RAT) was first identified by the DevSecOps company Phylum and is being delivered through typosquatted NuGet packages. Additionally, SeroXen has been found to targe
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Malware
Antivirus
Fortiguard
Crypter
Fraud
exploitation
Encrypt
Remcos
Exploit
Rat
Trojan
Windows
Fortinet
Ransomware
Encryption
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
VenomratUnspecified
4
VenomRAT is a malicious software (malware) that poses significant threats to computer systems and devices. It can infiltrate systems through dubious downloads, emails, or websites, often without the user's knowledge. Once installed, VenomRAT can steal personal information, disrupt operations, or eve
Redline StealerUnspecified
3
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis in
RedlineUnspecified
2
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been u
SmokeloaderUnspecified
2
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
AmadeyUnspecified
1
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
AcecryptorUnspecified
1
AceCryptor is a prevalent malware crypter in the current digital landscape, recognized for its ability to help other malicious software evade detection. In recent research, we've identified 279 domains hosted on dedicated AceCryptor IP addresses, with 17 of these domains flagged as malicious by bulk
Snip3Unspecified
1
None
AsyncRATUnspecified
1
AsyncRAT is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Once the executable loads http_dll.dll, the DL
GuLoaderUnspecified
1
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Scrubcrypt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a day ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
8 days ago
Security Affairs Malware Newsletter - Round 2
Securityaffairs
16 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
23 days ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 months ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading
3 months ago
Cagey Phishing Attack Drops Multiple RATs to Steal Data
Securityaffairs
3 months ago
ScrubCrypt used to drop VenomRAT along with many malicious plugins
Fortinet
3 months ago
ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins | FortiGuard Labs
Trend Micro
a year ago
SeroXen Incorporates Latest BatCloak Engine Iteration
CERT-EU
a year ago
New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions
CERT-EU
a year ago
Obfuscation tool 'BatCloak’ can evade 80% of AV engines
CERT-EU
a year ago
Obfuscation tool 'BatCloak’ can evade 80% of AV engines
CERT-EU
a year ago
The Good, the Bad and the Ugly in Cybersecurity - Week 24 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data