asyncrat | hxxps://github[.]com/Nemox/Paladins-Internal-Esp-Aimbot-Hack-Cheat-Hack | Triage

Submit
Reports

Overview

overview

Static

static

URLScan

urlscan

https://github.com/N...

windows10-2004-x64

Sharing

General

Target

https://github.com/Nemox/Paladins-Internal-Esp-Aimbot-Hack-Cheat-Hack
Sample

221104-2a7dkadedk

Score

10^/10

asyncrat redline defender filemanager securityhealthseurvice evasion infostealer persistence rat

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://github.com/Nemox/Paladins-Internal-Esp-Aimbot-Hack-Cheat-Hack

Resource

win10v2004-20220812-en

asyncrat redline defender filemanager securityhealthseurvice evasion infostealer persistence rat

windows10-2004-x64

27 signatures

1800 seconds

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthSeurvice

C2

217.64.31.3:8437

Mutex

SecurityHealthSeurvice

Attributes

delay
3
install
false
install_file
SecurityHealthSeurvice.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

dEFENDER

C2

20.19.164.86:22616

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

FileManager

C2

20.107.115.162:50239

Mutex

FileManager

Attributes

delay
3
install
false
install_file
FileManager
install_folder
%AppData%

aes.plain

Targets

- Target
  
  https://github.com/Nemox/Paladins-Internal-Esp-Aimbot-Hack-Cheat-Hack
Score

10^/10

asyncrat redline defender filemanager securityhealthseurvice evasion infostealer persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Async RAT payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

urlscan1

behavioral1

asyncratredlinedefenderfilemanagersecurityhealthseurviceevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy