Overview

overview

10

Static

static

1.msi

windows7-x64

10

1.msi

windows10-2004-x64

10

URFT06GSBA...DF.exe

windows7-x64

10

URFT06GSBA...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.zip

  • Size

    2.5MB

  • Sample

    221005-m8wx6aebe2

  • MD5

    e53f47ff9d95341b0655cac6f6dbf016

  • SHA1

    44a20df0b51fac9e91d5a85d4cc177ec755a615d

  • SHA256

    613a23dadd6cf4ddfe08a56b7f13f3c83b1a0ef2dba918539ec0d4003f9c06dd

  • SHA512

    3150a499ba03a0fd60d219a09038618ff35aca6dbc6dc7ae61821bb0c3c780c2c32b3c6e36387ea9a116433ce7ae697ce1e586b1ef7976745f07d4f00a54de7d

  • SSDEEP

    49152:+Vper5oxsTZ/SoFxO7+740Arnf9ctdTvoJ:tGxQ1M7+743rnEzS

Score
10/10
asyncratredlineingineruvenom clientsdiscoveryinfostealerratspyware

Malware Config

Extracted

Family

redline

Botnet

ingineru

C2

23.88.61.43:18472

Attributes
  • auth_value

    829f820f7d87919dad4b39d27cada24c

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

resulttoday2.duckdns.org:6111

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      1.msi

    • Size

      354.2MB

    • MD5

      3fec58a8814463d25e3c18eb95d4803f

    • SHA1

      d19f99436a9e3d97285802ee7ed755aad4f6187d

    • SHA256

      2e21637e26f39ce81a13107263f2e62e6e23b7d00466c77b98b2df3e06422121

    • SHA512

      5092c48418cecbee2f1e02383e64a826d96eacd0ada9878b85dcb44f56e1c22a083e65b1b7eab56e7831dc740ffa978d456b02d77264e1913dc3db7a2f73c824

    • SSDEEP

      98304:DpyS79tNaQiLb0icbxl+364Sp+364tgF:cSX09w

    Score
    10/10
    redlineinginerudiscoveryinfostealerspyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      URFT06GSBAWRP_001_PDF.exe

    • Size

      300.0MB

    • MD5

      464753cd8a6523de0fba921ce6846177

    • SHA1

      6b3b77af1129f9ad86acc31163d8450eacb4dbd3

    • SHA256

      3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092

    • SHA512

      589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2

    • SSDEEP

      3072:1iJZ3k2p8jrvVIYkwur2JMBZ6kINhCRFuaABOUEs64BRg40nOFblHTgr4:1OyRr9u1KJkZ6dIYBUeBRgOlWU

    Score
    10/10
    asyncratvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

2
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Permissions Modification

1
T1222

Scripting

2
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks