General

  • Target

    1.zip

  • Size

    2MB

  • Sample

    221005-m8wx6aebe2

  • MD5

    e53f47ff9d95341b0655cac6f6dbf016

  • SHA1

    44a20df0b51fac9e91d5a85d4cc177ec755a615d

  • SHA256

    613a23dadd6cf4ddfe08a56b7f13f3c83b1a0ef2dba918539ec0d4003f9c06dd

  • SHA512

    3150a499ba03a0fd60d219a09038618ff35aca6dbc6dc7ae61821bb0c3c780c2c32b3c6e36387ea9a116433ce7ae697ce1e586b1ef7976745f07d4f00a54de7d

Malware Config

Extracted

Family

redline

Botnet

ingineru

C2

23.88.61.43:18472

Attributes
auth_value
829f820f7d87919dad4b39d27cada24c

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

resulttoday2.duckdns.org:6111

Attributes
delay
1
install
false
install_folder
%AppData%
aes.plain

Targets

    • Target

      1.msi

    • Size

      354MB

    • MD5

      3fec58a8814463d25e3c18eb95d4803f

    • SHA1

      d19f99436a9e3d97285802ee7ed755aad4f6187d

    • SHA256

      2e21637e26f39ce81a13107263f2e62e6e23b7d00466c77b98b2df3e06422121

    • SHA512

      5092c48418cecbee2f1e02383e64a826d96eacd0ada9878b85dcb44f56e1c22a083e65b1b7eab56e7831dc740ffa978d456b02d77264e1913dc3db7a2f73c824

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    • Target

      URFT06GSBAWRP_001_PDF.exe

    • Size

      300MB

    • MD5

      464753cd8a6523de0fba921ce6846177

    • SHA1

      6b3b77af1129f9ad86acc31163d8450eacb4dbd3

    • SHA256

      3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092

    • SHA512

      589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

              Privilege Escalation