Overview

overview

10

Static

static

8

a18193c95d...7c.exe

windows10-1703-x64

10

a18193c95d...7c.exe

windows10-2004-x64

10

Resubmissions

06-09-2022 03:04

220906-dk2dasbcam 10

24-08-2022 20:26

220824-y7t8qaaffp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a18193c95d0c31ab132d9bc2da884d7c.exe

  • Size

    22.0MB

  • Sample

    220906-dk2dasbcam

  • MD5

    a18193c95d0c31ab132d9bc2da884d7c

  • SHA1

    063e58b4b3b920e68006d4d28625df894e20750a

  • SHA256

    6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c

  • SHA512

    1c5119a13ddbbe2293759e5cd66de8747abba98d46aa9883c1ccadb489a2cf54be58766aa157fd383a6f631c9265d7b873c068fd992c6dc592ab32a6afd10547

  • SSDEEP

    393216:TJWrtpiMPeMNKxIyMMUGJQmNVmIRKGl5X1+moeWJIYR22uYZm:kpWMtMUJ+KG3XsmOZFpm

Score
10/10
asyncratlimeratredlinexmrigytstealer@miroskatidiscoveryevasionexploitinfostealerminerpersistenceratspywarestealerupxvmprotect

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    123

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/mchxnAbT

  • delay

    80

  • download_payload

    false

  • install

    true

  • install_name

    WindosCert.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

redline

C2

193.124.22.40:19788

193.106.191.106:26883

193.106.191.16:28958

62.204.41.141:24758
Attributes
  • auth_value

    c16799aa992748b357b66c7f81245e70

Extracted

Family

redline

Botnet

@Miroskati

C2

litrazalilibe.xyz:81

Attributes
  • auth_value

    384ebbf9bd4d7e80bf3269909b298f87

Targets

    • Target

      a18193c95d0c31ab132d9bc2da884d7c.exe

    • Size

      22.0MB

    • MD5

      a18193c95d0c31ab132d9bc2da884d7c

    • SHA1

      063e58b4b3b920e68006d4d28625df894e20750a

    • SHA256

      6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c

    • SHA512

      1c5119a13ddbbe2293759e5cd66de8747abba98d46aa9883c1ccadb489a2cf54be58766aa157fd383a6f631c9265d7b873c068fd992c6dc592ab32a6afd10547

    • SSDEEP

      393216:TJWrtpiMPeMNKxIyMMUGJQmNVmIRKGl5X1+moeWJIYR22uYZm:kpWMtMUJ+KG3XsmOZFpm

    Score
    10/10
    asyncratlimeratredlinexmrigytstealer@miroskatidiscoveryevasionexploitinfostealerminerpersistenceratspywarestealerupxvmprotect

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Modifies security service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • YTStealer

      YTStealer is a malware designed to steal YouTube authentication cookies.

      stealerytstealer

    • YTStealer payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

3
T1497

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

3
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks