Overview

overview

10

Static

static

10

sqatyavkpc...rm.exe

windows7-x64

10

sqatyavkpc...rm.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sqatyavkpcidpvwiialfnbdpawluusrm.exe

  • Size

    63KB

  • Sample

    221106-eyr78accd2

  • MD5

    dae21c538a7a4f8294d7e19916be9100

  • SHA1

    cea1c44030c6f45243a9408e59f8e43304402438

  • SHA256

    3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

  • SHA512

    8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

  • SSDEEP

    1536:6hQDnx1Ak32YGbHZCyYaN1bbLwtY3L3VG/tpqKmY7:6hQDnx1Ak32HHZCyP1bbLxL322z

Score
10/10
asyncratbitratredlinexenarmorcheatnewcollectiondiscoveryinfostealerpasswordpersistenceratrecoveryspywarestealertrojanupx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

C2

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    GoogleDriver.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

C2

nicehash.at:6000

Attributes
  • communication_password

    005f16f264f006578c55237781f36898

  • install_dir

    JavaHelper

  • install_file

    Java.exe

  • tor_process

    tor

Extracted

Family

redline

Botnet

cheat

C2

nicehash.at:1338

Targets

    • Target

      sqatyavkpcidpvwiialfnbdpawluusrm.exe

    • Size

      63KB

    • MD5

      dae21c538a7a4f8294d7e19916be9100

    • SHA1

      cea1c44030c6f45243a9408e59f8e43304402438

    • SHA256

      3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

    • SHA512

      8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

    • SSDEEP

      1536:6hQDnx1Ak32YGbHZCyYaN1bbLwtY3L3VG/tpqKmY7:6hQDnx1Ak32HHZCyP1bbLxL322z

    Score
    10/10
    asyncratbitratredlinecheatnewdiscoveryinfostealerpersistenceratspywarestealertrojanupxxenarmorcollectionpasswordrecovery

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Async RAT payload

      rat

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

5
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks