General

  • Target

    https://anonfiles.com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip

  • Sample

    211230-k4b13sffh8

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

s33s4w

C2

null:null

Attributes
anti_vm
false
bsod
false
delay
1
install
true
install_file
chrome_update.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/REMiDqQN
aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

THJAY

C2

s33s4wqsr-31933.portmap.host:31933

Attributes
encryption_key
2138DB726B457D142BA520FA40476B7B3909D03A
install_name
services.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://rerddrrdrd-45837.portmap.host:45837/dpixel

Attributes
access_type
512
host
rerddrrdrd-45837.portmap.host,/dpixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
45837
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCA+o3FnsObc9SVI8ZAwc36u7DwsV6UPyQpwMNghiyTj7R0UjoBFvLqcYd/JCGPyFzZWQF80PmH7EQ6cxpNKaeo/hMS0u2s6Kc2UV0SDI97XgAIt0A+41EUNTZ/IjxHTsLAkTwd7ebBEktQidwq7D7zfOJACaWQ70uDmPUudcHy7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes
watermark
0

Extracted

Family

redline

Botnet

cheat

C2

s33s4wredline-50318.portmap.host:50318

Targets

    • Target

      https://anonfiles.com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Async RAT payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation