Overview

overview

10

Static

static

10

sqatyavkpc...rm.exe

windows7-x64

10

sqatyavkpc...rm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    304s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2022 04:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqatyavkpcidpvwiialfnbdpawluusrm.exe

  • Size

    63KB

  • MD5

    dae21c538a7a4f8294d7e19916be9100

  • SHA1

    cea1c44030c6f45243a9408e59f8e43304402438

  • SHA256

    3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

  • SHA512

    8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

  • SSDEEP

    1536:6hQDnx1Ak32YGbHZCyYaN1bbLwtY3L3VG/tpqKmY7:6hQDnx1Ak32HHZCyP1bbLxL322z

Score
10/10
asyncratbitratredlinecheatnewdiscoveryinfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

C2

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    GoogleDriver.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

C2

nicehash.at:6000

Attributes
  • communication_password

    005f16f264f006578c55237781f36898

  • install_dir

    JavaHelper

  • install_file

    Java.exe

  • tor_process

    tor

Extracted

Family

redline

Botnet

cheat

C2

nicehash.at:1338

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Async RAT payload 5 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sqatyavkpcidpvwiialfnbdpawluusrm.exe
    "C:\Users\Admin\AppData\Local\Temp\sqatyavkpcidpvwiialfnbdpawluusrm.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1440
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB1E2.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:628
      • C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
        "C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1784
            • C:\Users\Admin\AppData\Local\Temp\bit.exe
              "C:\Users\Admin\AppData\Local\Temp\bit.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:664
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1516
            • C:\Users\Admin\AppData\Local\Temp\rdln.exe
              "C:\Users\Admin\AppData\Local\Temp\rdln.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bit.exe
    Filesize

    1.4MB

    MD5

    32d4216d4ef2af912921fc2931c0bd88

    SHA1

    3e79dd260b67ed27134246e9461d8878c7ac73e3

    SHA256

    d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

    SHA512

    7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bit.exe
    Filesize

    1.4MB

    MD5

    32d4216d4ef2af912921fc2931c0bd88

    SHA1

    3e79dd260b67ed27134246e9461d8878c7ac73e3

    SHA256

    d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

    SHA512

    7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\rdln.exe
    Filesize

    95KB

    MD5

    6aefd743bed0887a18bbbd3b0c533dfb

    SHA1

    bb8140a7efc7a1dec295fa4894b0efa7203c6b49

    SHA256

    001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

    SHA512

    70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\rdln.exe
    Filesize

    95KB

    MD5

    6aefd743bed0887a18bbbd3b0c533dfb

    SHA1

    bb8140a7efc7a1dec295fa4894b0efa7203c6b49

    SHA256

    001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

    SHA512

    70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpB1E2.tmp.bat
    Filesize

    156B

    MD5

    7c30bd76ff8f80c9f7d39a8031546554

    SHA1

    00145c79f5c91b100d64315be7956b6930d9131b

    SHA256

    ea466c3ba65ded64b96265c65c3fbb0d283c123cf546a9d0e830347252fd8929

    SHA512

    17c9dcf55605415577316b939467b934bb9d2f661ef2dee2a220add73490d5c946d2c4820d2e3c0fabfb417eedf809f43b6375cda7cb42d656db36f3b0fdeec0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
    Filesize

    63KB

    MD5

    dae21c538a7a4f8294d7e19916be9100

    SHA1

    cea1c44030c6f45243a9408e59f8e43304402438

    SHA256

    3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

    SHA512

    8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

    Download Submit
  • C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
    Filesize

    63KB

    MD5

    dae21c538a7a4f8294d7e19916be9100

    SHA1

    cea1c44030c6f45243a9408e59f8e43304402438

    SHA256

    3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

    SHA512

    8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    167fbf9af32219578d221fa3b80db5c1

    SHA1

    229b321bb0596d3e17780ab06aaa464afea4ce29

    SHA256

    1d22b8a7b8212850489b06d5794b69437f180b216c6efb91380a8755479decce

    SHA512

    6f72240a476f1fd407acc4b8df15aa9267b02a37350a92267b0fd1606f1b1efc494573cc87f7f12e78e6e837735f4fb0658742818859e01bb15828a6850f9a39

    Download Submit
  • memory/564-60-0x0000000000000000-mapping.dmp
    Download
  • memory/564-63-0x0000000001180000-0x0000000001196000-memory.dmp
    Filesize

    88KB

    Download
  • memory/564-64-0x0000000000450000-0x0000000000470000-memory.dmp
    Filesize

    128KB

    Download
  • memory/580-65-0x0000000000000000-mapping.dmp
    Download
  • memory/628-59-0x0000000000000000-mapping.dmp
    Download
  • memory/664-74-0x0000000000000000-mapping.dmp
    Download
  • memory/664-78-0x00000000756A1000-0x00000000756A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/664-98-0x00000000003E0000-0x00000000003EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/664-97-0x00000000003E0000-0x00000000003EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/664-95-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/664-94-0x00000000003E0000-0x00000000003EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/664-93-0x00000000003E0000-0x00000000003EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/664-79-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/916-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1044-54-0x0000000000A80000-0x0000000000A96000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1440-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1516-90-0x0000000002304000-0x0000000002307000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1516-86-0x0000000002304000-0x0000000002307000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1516-81-0x0000000000000000-mapping.dmp
    Download
  • memory/1516-91-0x000000000230B000-0x000000000232A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1516-84-0x000007FEEB9E0000-0x000007FEEC403000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1516-85-0x000007FEEAE80000-0x000007FEEB9DD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1636-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1784-76-0x0000000002884000-0x0000000002887000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1784-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1784-77-0x000000000288B000-0x00000000028AA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1784-70-0x0000000002884000-0x0000000002887000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1784-68-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1784-71-0x000000001B720000-0x000000001BA1F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1784-69-0x000007FEEB820000-0x000007FEEC37D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1784-67-0x000007FEFC181000-0x000007FEFC183000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1784-72-0x000000000288B000-0x00000000028AA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1956-88-0x0000000000000000-mapping.dmp
    Download
  • memory/1956-92-0x0000000001070000-0x000000000108E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1960-55-0x0000000000000000-mapping.dmp
    Download