CrackedCantil (Malware Family)

CrackedCantil

VTCollection

According to ANY.RUN, this is a dropper for win.privateloader and its execution will lead to a cascade of downloads with a large variety of additional malware.
The families include more loaders, information stealers, cryptominers, a proxy bot, and ultimately also ransomware.
The execution order is orchestrated, e.g. as in data is stolen and exfiltrated before encryption.
It is distributed through advertized cracked software, e.g. IDA Pro.

References

2024-09-27 ⋅ Virus Bulletin ⋅ Lena Yu
CrackedCantil: A Malware Symphony Delivered By Cracked Software; Performed By Loaders, Infostealers, Ransomware, Et Al.
CrackedCantil

2024-02-06 ⋅ The Hacker News ⋅ Newsroom
Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials
CrackedCantil Phemedrone Stealer

2024-02-05 ⋅ PCrisk ⋅ Tomas Meskauskas
How to remove CrackedCantil from the operating system
CrackedCantil

2024-02-04 ⋅ Infostealers ⋅ LambdaMamba
CrackedCantil: A Malware Symphony Breakdown
CrackedCantil

2024-02-03 ⋅ Cloudsek ⋅ Pavan Karthick M
From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet
CrackedCantil

2024-02-02 ⋅ Gridinsoft ⋅ Stephanie Adlam
CrackedCantil Dropper Delivers Numerous Malware
CrackedCantil

2024-02-01 ⋅ Medium g0njxa ⋅ g0njxa
Installskey Rewind 2023
CrackedCantil

2024-01-31 ⋅ AlienVault OTX ⋅ AlienVault
OTX Pulse - CrackedCantil: Malware Work Together
CrackedCantil

2024-01-31 ⋅ IBM X-Force Exchange ⋅ IBM Security X-Force Team
CrackedCantil: A Malware Symphony Breakdown
CrackedCantil

2024-01-30 ⋅ ANY.RUN ⋅ Lena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP

Yara Rules

[TLP:WHITE] win_crackedcantil_auto (20260504 | Detects win.crackedcantil.)

rule win_crackedcantil_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.crackedcantil."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crackedcantil"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f30f6f00 660f7f8424708c0000 660f6f8424708c0000 660fef8424808c0000 660f7f8424908c0000 488b842490250000 660f6f8424908c0000 }
            // n = 7, score = 100
            //   f30f6f00             | lea                 eax, [esp + 0x218]
            //   660f7f8424708c0000     | mov    byte ptr [esp + 0x268], al
            //   660f6f8424708c0000     | dec    eax
            //   660fef8424808c0000     | mov    eax, 0xabc70803
            //   660f7f8424908c0000     | dec    edx
            //   488b842490250000     | add                 eax, 0x8948f3fb
            //   660f6f8424908c0000     | test    byte ptr [eax + ebp*4], ah

        $sequence_1 = { e9???????? 8b8424e8000000 8b8c2490000000 03c8 8bc1 488b8c2498000000 894108 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8424e8000000       | arpl                word ptr [esp + 0x94], ax
            //   8b8c2490000000       | dec                 eax
            //   03c8                 | mov                 ecx, dword ptr [esp + 0xb8]
            //   8bc1                 | mov                 edx, dword ptr [esp + 0x70]
            //   488b8c2498000000     | and                 eax, 1
            //   894108               | test                eax, eax

        $sequence_2 = { e8???????? 4e89a424a5f27fe8 4a8bac24b5f27fe8 4e89a42495f27fe8 e8???????? 80ea3e f6d2 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4e89a424a5f27fe8     | mov                 eax, dword ptr [eax + 0x10]
            //   4a8bac24b5f27fe8     | jbe                 0x34e
            //   4e89a42495f27fe8     | cmp                 cl, 3
            //   e8????????           |                     
            //   80ea3e               | ja                  0x3af
            //   f6d2                 | dec                 eax

        $sequence_3 = { e8???????? 89842404030000 b904000000 486bc905 8b8c0ce8030000 e8???????? 8b8c2404030000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   89842404030000       | add                 eax, ebx
            //   b904000000           | pop                 ebx
            //   486bc905             | sub                 dword ptr [esp], 0x3b3f6b26
            //   8b8c0ce8030000       | dec                 eax
            //   e8????????           |                     
            //   8b8c2404030000       | mov                 eax, dword ptr [esp]

        $sequence_4 = { f30f6f00 660f7f8424c0580000 660f6f8424c0580000 660fef8424d0580000 660f7f8424e0580000 488b842448270000 660f6f8424e0580000 }
            // n = 7, score = 100
            //   f30f6f00             | movdqa              xmm0, xmmword ptr [esp + 0x88b0]
            //   660f7f8424c0580000     | mov    byte ptr [esp + 0x5c0], al
            //   660f6f8424c0580000     | movdqa    xmm0, xmmword ptr [esp + 0x1bd0]
            //   660fef8424d0580000     | movdqa    xmmword ptr [esp + 0x10a0], xmm0
            //   660f7f8424e0580000     | dec    eax
            //   488b842448270000     | mov                 eax, dword ptr [esp + 0x730]
            //   660f6f8424e0580000     | movdqu    xmm0, xmmword ptr [eax]

        $sequence_5 = { c3 4055 4883ec20 488bea 488d8d50150000 e8???????? 4883c420 }
            // n = 7, score = 100
            //   c3                   | mov                 dword ptr [esp], esi
            //   4055                 | pop                 dword ptr [esp]
            //   4883ec20             | dec                 eax
            //   488bea               | mov                 esi, esi
            //   488d8d50150000       | push                esi
            //   e8????????           |                     
            //   4883c420             | dec                 eax

        $sequence_6 = { f3aa 488d8424c9000000 488bf8 33c0 b901000000 f3aa 0fb68424c7000000 }
            // n = 7, score = 100
            //   f3aa                 | mov                 ecx, dword ptr [esp + 0x4c]
            //   488d8424c9000000     | mov                 dword ptr [esp + 0x20], ecx
            //   488bf8               | inc                 ebp
            //   33c0                 | xor                 ecx, ecx
            //   b901000000           | inc                 esp
            //   f3aa                 | mov                 eax, eax
            //   0fb68424c7000000     | mov                 edx, 0x1d

        $sequence_7 = { ffc8 89842438010000 83bc240801000002 0f85c8000000 488b442440 8b402c 83e001 }
            // n = 7, score = 100
            //   ffc8                 | mov                 edx, dword ptr [esp + 0x5f30]
            //   89842438010000       | dec                 eax
            //   83bc240801000002     | lea                 ecx, [esp + 0xd8f0]
            //   0f85c8000000         | movzx               eax, al
            //   488b442440           | mov                 eax, dword ptr [esp + 0x3c]
            //   8b402c               | or                  eax, 0x10
            //   83e001               | mov                 dword ptr [esp + 0x3c], eax

        $sequence_8 = { ff742400 9d 488d642408 e8???????? 0f05 e8???????? 48c7442400d1a719a7 }
            // n = 7, score = 100
            //   ff742400             | dec                 eax
            //   9d                   | xor                 ecx, esp
            //   488d642408           | mov                 eax, dword ptr [eax + 0xc]
            //   e8????????           |                     
            //   0f05                 | btr                 eax, 8
            //   e8????????           |                     
            //   48c7442400d1a719a7     | dec    eax

        $sequence_9 = { e8???????? 90 488d842448b50000 4889842440530000 488d8424f5020000 488bf8 33c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | or                  ebx, 0x5f7b40be
            //   488d842448b50000     | or                  ebp, 0x7dbfc566
            //   4889842440530000     | not                 ebp
            //   488d8424f5020000     | shl                 ebp, 3
            //   488bf8               | dec                 ebp
            //   33c0                 | add                 ebp, 0x7fff05d7

    condition:
        7 of them and filesize < 37863424
}

Download all Yara Rules

CrackedCantil Propose Change

References

Yara Rules

CrackedCantil