Overview

overview

10

Static

static

b95cb76cec...b3.exe

windows7_x64

10

b95cb76cec...b3.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b95cb76cec0b0c88a409403518559fb3.exe

  • Size

    153KB

  • MD5

    b95cb76cec0b0c88a409403518559fb3

  • SHA1

    7692607a52ada1a447913d1990628c13e22f4b04

  • SHA256

    ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138

  • SHA512

    33fa4970b8d272209a39c1afe23f601f4dd146596cb28e2f830df8328ba2d4455ae801817062405148e6b5faae4773828e674740cc65bf46f37a7c5a99d4bc79

Score
10/10
asyncratredlinecheatdefaultdiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

null:null

Mutex

DcRatMutex

Attributes
  • anti_vm

    false

  • bsod

    true

  • delay

    1

  • install

    true

  • install_file

    RuntimeBroker.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/SctPUR4x

aes.plain

Extracted

Family

redline

Botnet

cheat

C2

rat3000.ddns.net:56698

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Async RAT payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b95cb76cec0b0c88a409403518559fb3.exe
    "C:\Users\Admin\AppData\Local\Temp\b95cb76cec0b0c88a409403518559fb3.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:788
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7BC.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4464
      • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7BC.tmp.bat
    MD5

    54177b88599c5fa637ad040507710daa

    SHA1

    3ead2caa208d63c0e2b924cd011e97c1367a684b

    SHA256

    8f98cf8308c638b1e04d6287ec5cf3d78a9bb6d07c62e72b8df45e4c19941473

    SHA512

    8f371abd861ac9c33932684b5c2f06fecda8610ae4f457041e8989a448a91ae1d04c9620c58fdb3b0e76f246a280cf3c7220033d4e52738cabb19963b387df68

    Download Submit
  • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    MD5

    b95cb76cec0b0c88a409403518559fb3

    SHA1

    7692607a52ada1a447913d1990628c13e22f4b04

    SHA256

    ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138

    SHA512

    33fa4970b8d272209a39c1afe23f601f4dd146596cb28e2f830df8328ba2d4455ae801817062405148e6b5faae4773828e674740cc65bf46f37a7c5a99d4bc79

    Download Submit
  • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    MD5

    b95cb76cec0b0c88a409403518559fb3

    SHA1

    7692607a52ada1a447913d1990628c13e22f4b04

    SHA256

    ba2c8fcdef3c1675e57b94c9a7b04088a68d98110cf1ddf509eae437f731b138

    SHA512

    33fa4970b8d272209a39c1afe23f601f4dd146596cb28e2f830df8328ba2d4455ae801817062405148e6b5faae4773828e674740cc65bf46f37a7c5a99d4bc79

    Download Submit
  • memory/3436-121-0x0000025A9DD00000-0x0000025A9DD16000-memory.dmp
    Filesize

    88KB

    Download
  • memory/3436-119-0x0000025A9DE24000-0x0000025A9DE25000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3436-120-0x0000025A9DCC0000-0x0000025A9DCDA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3436-115-0x0000025A9C020000-0x0000025A9C04C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/3436-122-0x0000025A9DE25000-0x0000025A9DE27000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3436-123-0x0000025A9DE27000-0x0000025A9DE29000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3436-124-0x0000025A9DE29000-0x0000025A9DE2A000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3436-125-0x0000025A9DE2A000-0x0000025A9DE2F000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3436-118-0x0000025A9DE22000-0x0000025A9DE24000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3436-117-0x0000025A9C340000-0x0000025A9C348000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3436-116-0x0000025A9DE20000-0x0000025A9DE22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4360-129-0x000001A76B602000-0x000001A76B603000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4360-130-0x000001A76B613000-0x000001A76B614000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4360-131-0x000001A768D00000-0x000001A768D16000-memory.dmp
    Filesize

    88KB

    Download
  • memory/4360-133-0x000001A76B606000-0x000001A76B607000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4360-132-0x000001A76B603000-0x000001A76B604000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4360-134-0x000001A76B608000-0x000001A76B609000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4360-135-0x000001A76B080000-0x000001A76B0F6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4360-136-0x000001A76A8C0000-0x000001A76A8CE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4360-137-0x000001A76A8F0000-0x000001A76A90E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4360-138-0x000001A76A8D0000-0x000001A76A8EE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4360-139-0x000001A76AA60000-0x000001A76AA72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4360-140-0x000001A76BA30000-0x000001A76BA6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4360-141-0x000001A76D720000-0x000001A76D82A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4360-142-0x000001A76DFA0000-0x000001A76E162000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4360-143-0x000001A76EF20000-0x000001A76F446000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4360-144-0x000001A76B609000-0x000001A76B60A000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4360-145-0x000001A76B614000-0x000001A76B615000-memory.dmp
    Filesize

    4KB

    Download