General
Static task
static1
URLScan task
urlscan1
Sample
https://anonfiles.com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip
Malware Config
Extracted
| Family |
asyncrat |
| Version |
1.0.7 |
| Botnet |
s33s4w |
| C2 |
null:null |
| Attributes |
anti_vm false
bsod false
delay 1
install true
install_file chrome_update.exe
install_folder %AppData%
pastebin_config https://pastebin.com/raw/REMiDqQN |
| aes.plain |
|
Extracted
| Family |
quasar |
| Version |
1.4.0 |
| Botnet |
THJAY |
| C2 |
s33s4wqsr-31933.portmap.host:31933 |
| Attributes |
encryption_key 2138DB726B457D142BA520FA40476B7B3909D03A
install_name services.exe
log_directory Logs
reconnect_delay 3000
startup_key svhost
subdirectory svhost |
Extracted
| Family |
cobaltstrike |
| Botnet |
305419896 |
| C2 |
http://rerddrrdrd-45837.portmap.host:45837/dpixel |
| Attributes |
access_type 512
host rerddrrdrd-45837.portmap.host,/dpixel
http_header1 AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2 AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1 GET
http_method2 POST
maxdns 255
polling_time 60000
port_number 45837
sc_process32 %windir%\syswow64\rundll32.exe
sc_process64 %windir%\sysnative\rundll32.exe
state_machine MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCA+o3FnsObc9SVI8ZAwc36u7DwsV6UPyQpwMNghiyTj7R0UjoBFvLqcYd/JCGPyFzZWQF80PmH7EQ6cxpNKaeo/hMS0u2s6Kc2UV0SDI97XgAIt0A+41EUNTZ/IjxHTsLAkTwd7ebBEktQidwq7D7zfOJACaWQ70uDmPUudcHy7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1 4096
unknown2 AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri /submit.php
user_agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
watermark 305419896 |
Extracted
| Family |
cobaltstrike |
| Botnet |
0 |
| Attributes |
watermark 0 |
Extracted
| Family |
redline |
| Botnet |
cheat |
| C2 |
s33s4wredline-50318.portmap.host:50318 |
Targets
-
-
Target
https://anonfiles.com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Quasar Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation