Overview

overview

10

Static

static

10

1214e5f9de...98.exe

windows7_x64

10

1214e5f9de...98.exe

windows10_x64

7

236020bb91...f6.exe

windows7_x64

10

236020bb91...f6.exe

windows10_x64

10

25dc70a3de...60.exe

windows7_x64

10

25dc70a3de...60.exe

windows10_x64

10

54de718b63...d9.exe

windows7_x64

1

54de718b63...d9.exe

windows10_x64

1

7ae9504811...a4.exe

windows7_x64

10

7ae9504811...a4.exe

windows10_x64

10

9c2554e79b...a0.exe

windows7_x64

10

9c2554e79b...a0.exe

windows10_x64

10

a568f22004...3b.exe

windows7_x64

8

a568f22004...3b.exe

windows10_x64

8

aefd0c7794...37.exe

windows7_x64

10

aefd0c7794...37.exe

windows10_x64

10

d68b4d6cec...27.exe

windows7_x64

10

d68b4d6cec...27.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.zip

  • Size

    20.8MB

  • Sample

    210708-bakvbc7rn2

  • MD5

    36b2834c2743039c4df1ce9346886c13

  • SHA1

    1ee1736c4e2aae820b4d6cd80e43fea0ed6eadc6

  • SHA256

    4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

  • SHA512

    43dc749e7002f1ba08b7066e737523a8eaf69365eb148946d6f317234a2eff010307b4210d744a23a7d8641b72ba31fe8735dfcd6d0421537c8ba1293389cd73

Score
10/10
asyncratechelongluptebametasploitredlinexmrig@fanat_022@seno_47sergeybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

95.169.210.148:6666

Mutex

bavaulifmjawicwh

Attributes
  • aes_key

    l6KJQkyiHsJtyKPS6LFzkS17gqJqr3T8

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

  • host

    95.169.210.148

  • hwid

    5

  • install_file

  • install_folder

    %AppData%

  • mutex

    bavaulifmjawicwh

  • pastebin_config

    null

  • port

    6666

  • version

    0.5.6A

aes.plain

Extracted

Family

redline

Botnet

@Seno_47

C2

45.81.227.32:22625

Extracted

Family

redline

Botnet

@Fanat_022

C2

152.228.150.198:11188

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

Sergey

C2

185.203.243.131:27365

Targets

    • Target

      1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98

    • Size

      1.0MB

    • MD5

      0d52c34732339d12e58c62cdcbcd2241

    • SHA1

      b00a95fe388a69d375b4e370fa5112dda61c2ede

    • SHA256

      1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98

    • SHA512

      4da5f2b48663a183cc46799c02179bd5bc84a71993387742984a5c76ca92d4c7aec60d25efe758636a1a006ba8a4032a6e7763c48e9515801db8be6a98d6a3de

    Score
    10/10
    echelonspywarestealer

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

      stealerspywareechelon

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6

    • Size

      541KB

    • MD5

      616b97038b6328ae6e45a08077df4a7a

    • SHA1

      11473c1f0515f06579e7704dc036bbc620c7510a

    • SHA256

      236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6

    • SHA512

      4730733b4be691840fa1905fc4bfeeeba7ebb06e10d24cfe78a285a3e518a2f2ba31bbc378cda68edf4311df322fd137ed1f65d4b844737e9f0df547506c04e0

    Score
    10/10
    redline@seno_47infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560

    • Size

      405KB

    • MD5

      bf2e00fc28e5f89ec6b3b457a5a245fb

    • SHA1

      d42962e2e987c4cd8201badf832f3368afb09d24

    • SHA256

      25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560

    • SHA512

      e1f61fec329fab9f0bd997e7b34945e156475a53531c30630a03c550e60c029627e5697c5efb6a0a81b2bc23e178264aabfb26c8b68153d7107d367035730b2a

    Score
    10/10
    redline@fanat_022discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9

    • Size

      15.7MB

    • MD5

      79339229bc0c59d7b5abba71d1c96a8e

    • SHA1

      4c7c22308821a08edeacebe691da49249384de9d

    • SHA256

      54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9

    • SHA512

      a173e48fb0cb08705e56468ffc0a6845b03b261e98d282815eebdf77f482064a9c89f84ada89ef3aa994d0727db34629ff51e021bbcf8abd6fac5354ce295af2

    Score
    1/10
    behavioral7behavioral8

    • Target

      7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4

    • Size

      4.5MB

    • MD5

      dde0965428c655c1fabbcba5a44e7830

    • SHA1

      b5118f55982bf9784bb34a3f0af738f7d409a5ff

    • SHA256

      7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4

    • SHA512

      f6b83ff23e0e7102a69bf43e723f312acb0bbf95e04d7386513cc2c5b2f9e160f0f38b179688702675ecb7c4a0782fad1f007f3db59c2104aa08a7cdcc6b2e13

    Score
    10/10
    gluptebametasploitbackdoordropperloadertrojan

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral9behavioral10

    • Target

      9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0

    • Size

      359KB

    • MD5

      f476fd152a5d6a53f297517f9ffca28e

    • SHA1

      a0bc4cb4763de9f540fca4f97835522620087e17

    • SHA256

      9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0

    • SHA512

      56f683733356faa4be86883e3248ab70884c645e61dedc7ceba64eefa4813b2fda04d102e7b8c5794093f2c5918049900da987b2e235764e4ea87e78224003dc

    Score
    10/10
    redlinesergeyinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b

    • Size

      83KB

    • MD5

      4ed7de390496be3ec2ea7fdb3804282a

    • SHA1

      2c919d469853fac9a7719f59407b395e8e360a49

    • SHA256

      a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b

    • SHA512

      5716a8d9d86f9b1f1ad53f3fca96b5622b83ede56d370edc309a503263ad52b542b29e5d74810aed013e9f2e00b77b8c54d81aa0b43c77bfdf5bc7227251bd86

    Score
    8/10
    evasion

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    behavioral13behavioral14

    • Target

      aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

    • Size

      206KB

    • MD5

      70c771952bc897446d3ddad90541a1e6

    • SHA1

      b00b50a893e4552651c4a5c38cf4bb9aed7a101e

    • SHA256

      aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

    • SHA512

      33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

    Score
    10/10
    evasionpersistencexmrigminer

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827

    • Size

      48KB

    • MD5

      13ed5f6560bb91d089f56bd4ca015ff0

    • SHA1

      f43cd2a78815c1ca4091207a8f36cc68398550bf

    • SHA256

      d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827

    • SHA512

      5d6adf163ca3e18691fc0b34ce1b8277a540e93cb387ae7813bc1dbc84d2c75ca8ff462e67083c08ae4f3cdfdfb1f2671cdd30738f6bbf824b2a93bda7043ad2

    Score
    10/10
    asyncratrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat
    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

3
T1112

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

4
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

ratasyncrat
Score
10/10

behavioral1

echelonspywarestealer
Score
10/10

behavioral2

spywarestealer
Score
7/10

behavioral3

redline@seno_47infostealer
Score
10/10

behavioral4

redline@seno_47infostealer
Score
10/10

behavioral5

redline@fanat_022discoveryinfostealerspywarestealer
Score
10/10

behavioral6

redline@fanat_022discoveryinfostealerspywarestealer
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

gluptebametasploitbackdoordropperloadertrojan
Score
10/10

behavioral10

gluptebametasploitbackdoordropperloadertrojan
Score
10/10

behavioral11

redlinesergeyinfostealer
Score
10/10

behavioral12

redlinesergeyinfostealer
Score
10/10

behavioral13

evasion
Score
8/10

behavioral14

evasion
Score
8/10

behavioral15

evasionpersistence
Score
10/10

behavioral16

xmrigevasionminerpersistence
Score
10/10

behavioral17

asyncratrat
Score
10/10

behavioral18

asyncratrat
Score
10/10