Overview

overview

Static

static

main_setup_x86x64.exe

windows10_x64

Resubmissions

03-07-2021 16:35

210703-cwatrnq5as 10

03-07-2021 16:30

210703-q8f21sleh2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    main_setup_x86x64 sample.zip

  • Size

    3.7MB

  • Sample

    210703-q8f21sleh2

  • MD5

    5dffcf661e97e437667afa441b80c8e1

  • SHA1

    d1d4fa74d351237f95ab0d17d6663bfc13cdd9da

  • SHA256

    edbef1ff8b32d420c7194a09a1b5872498ed086194a54df430a65686d07c5224

  • SHA512

    dc62d708a9386089e642f9bd808b0fe2a33d88d11fb4fab97e909f7e5b85ada1b6935b0c6d82ef3323f6bd7b9f7c6a7e3139e26b5496f85609adae792f938f4c

Score
10/10
asyncratredlinesmokeloadervidarcanaaspackv2backdoorinfostealerratstealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

asyncrat

Version

0.5.7B

C2

null:null

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    3htbU7p8VLsbVqyiXfg3CvefpcBeyVlh

  • anti_detection

    true

  • autorun

    true

  • bdos

    false

  • delay

    Default

  • host

    null

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    https://pastebin.com/raw/xV7ZAURy

  • port

    null

  • version

    0.5.7B

aes.plain

Targets

    • Target

      main_setup_x86x64.exe

    • Size

      3.7MB

    • MD5

      864f64374dfb7e44d8129a27a85d9e2d

    • SHA1

      1b9b3ba877ad016a80cf1559f2b3ca441acba801

    • SHA256

      e780ff4870108ce42d51f95cdccdf38adbbbd1a89373e9390d4f133d77039146

    • SHA512

      c4a82f0cd266d9ccf33f097f85e0df752f121c6c023da51d354c20e5bb27512393b59b228286fe9bdc72b31b221787731bb274ff062c02c5ee6bbc6f69d3bf85

    Score
    10/10
    asyncratredlinesmokeloadervidarcanaaspackv2backdoorinfostealerratstealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Async RAT payload

      rat

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks