General

  • Target

    b95cb76cec0b0c88a409403518559fb3.exe

  • Size

    153KB

  • Sample

    220125-tf9rwaadfr

  • MD5

    b95cb76cec0b0c88a409403518559fb3

  • SHA1

    7692607a52ada1a447913d1990628c13e22f4b04

  • SHA256

    ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138

  • SHA512

    33fa4970b8d272209a39c1afe23f601f4dd146596cb28e2f830df8328ba2d4455ae801817062405148e6b5faae4773828e674740cc65bf46f37a7c5a99d4bc79

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

null:null

Mutex

DcRatMutex

Attributes
  • anti_vm

    false

  • bsod

    true

  • delay

    1

  • install

    true

  • install_file

    RuntimeBroker.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/SctPUR4x

aes.plain

Extracted

Family

redline

Botnet

cheat

C2

rat3000.ddns.net:56698

Targets

    • Target

      b95cb76cec0b0c88a409403518559fb3.exe

    • Size

      153KB

    • MD5

      b95cb76cec0b0c88a409403518559fb3

    • SHA1

      7692607a52ada1a447913d1990628c13e22f4b04

    • SHA256

      ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138

    • SHA512

      33fa4970b8d272209a39c1afe23f601f4dd146596cb28e2f830df8328ba2d4455ae801817062405148e6b5faae4773828e674740cc65bf46f37a7c5a99d4bc79

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Async RAT payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks