Scrubcrypt

Malware updated 3 months ago (2024-08-14T09:34:23.795Z)
Download STIX
Preview STIX
ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disrupt operations, steal personal information, and even hold data hostage for ransom. Its functionality includes a batch file named "pointer.cmd," which serves as the ScrubCrypt batch file, and it employs multiple layers of obfuscation and evasion techniques to avoid detection. In April, FortiGuard Labs uncovered an intricate attack involving ScrubCrypt. The malware was leveraged to distribute and execute VenomRAT, another malicious program. This process involved several steps: first, the ScrubCrypt .NET file loaded Remcos from resource data "P"; then, the Guloader PowerShell was employed. The configuration for Remcos was RC4 encrypted in the "SETTINGS" resource, with decrypted data shown subsequently. The distribution of this plugin was facilitated through VenomRAT's C2 using three methods: an obfuscated VBS script named "remcos.vbs", ScrubCrypt itself, and Guloader PowerShell. Notably, the developers of Jlaive, BatCloak, CryBat, Exe2Bat, ScrubCrypt, and a social media distributor acknowledged their involvement on the SeroXen website. As a result of these activities, ScrubCrypt has been repeatedly linked to the distribution of VenomRAT and other malicious plugins, raising significant cybersecurity concerns.
Description last updated: 2024-08-14T08:47:53.671Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Batcloak is a possible alias for Scrubcrypt. BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository
3
Jlaive is a possible alias for Scrubcrypt. Jlaive is a malware that began circulating in 2022, primarily known for its obfuscation algorithm powered by the BatCloak engine. The malware was designed to evade antivirus software by converting executables into undetectable batch files. The creator, identified as ch2sh, made significant contribut
2
Seroxen is a possible alias for Scrubcrypt. SeroXen is a potent malware that has been discovered in malicious NuGet packages, infecting developer systems. The Remote Access Trojan (RAT) was first identified by the DevSecOps company Phylum and is being delivered through typosquatted NuGet packages. Additionally, SeroXen has been found to targe
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Antivirus
Fortiguard
Crypter
Fraud
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Venomrat Malware is associated with Scrubcrypt. VenomRAT is a sophisticated piece of malware that was discovered by security researchers, designed to exploit and damage computer systems. The malicious software infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal Unspecified
4
The Redline Stealer Malware is associated with Scrubcrypt. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
3
The Redline Malware is associated with Scrubcrypt. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actorUnspecified
2
The Smokeloader Malware is associated with Scrubcrypt. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functUnspecified
2
Source Document References
Information about the Scrubcrypt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
3 months ago
Fortinet
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
DARKReading
7 months ago
Securityaffairs
7 months ago
Fortinet
7 months ago
Trend Micro
a year ago
CERT-EU
a year ago
CERT-EU
a year ago