Overview

overview

10

Static

static

Reverse IP 139.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Reverse IP 139.exe

  • Size

    65KB

  • Sample

    221126-xd2j9sac6t

  • MD5

    aebccb6c82173c65bcb92a17cc0a6b76

  • SHA1

    ca23829349cf46fa0abb339269f714a341992601

  • SHA256

    67773b80728645b6449b392fa1c98e5ef675cb9fc6c24ee798f893e00dd3e16b

  • SHA512

    7992c3812d52cbd00ba726ec64fcf47be63418213f8cb510ca7e96a7285e633c4874543a826dad3e0938df70cdff14462a3555b80f98671ab245985670332492

  • SSDEEP

    1536:NLDm+ON6x73ZUV98VJmlHJ+FjUzIXFoMbaaDohm72QuP:ZDAMD086dAHXhaaMQuP

Score
10/10
asyncratredline1877ven0discoveryinfostealerpyinstallerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Ven0

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

overthinker1877.duckdns.org:6606

overthinker1877.duckdns.org:7707

overthinker1877.duckdns.org:8808
Mutex

Ven0Mutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Ven0.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

1877

C2

overthinker1877.duckdns.org:60732

Targets

    • Target

      Reverse IP 139.exe

    • Size

      65KB

    • MD5

      aebccb6c82173c65bcb92a17cc0a6b76

    • SHA1

      ca23829349cf46fa0abb339269f714a341992601

    • SHA256

      67773b80728645b6449b392fa1c98e5ef675cb9fc6c24ee798f893e00dd3e16b

    • SHA512

      7992c3812d52cbd00ba726ec64fcf47be63418213f8cb510ca7e96a7285e633c4874543a826dad3e0938df70cdff14462a3555b80f98671ab245985670332492

    • SSDEEP

      1536:NLDm+ON6x73ZUV98VJmlHJ+FjUzIXFoMbaaDohm72QuP:ZDAMD086dAHXhaaMQuP

    Score
    10/10
    asyncratredline1877ven0discoveryinfostealerpyinstallerratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks