asyncrat | cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942

General

Target

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
Size

674KB
MD5

41335f83156230e62b02ea6831eb6351
SHA1

b88b3b41e61c8633316b36bac395bd9d5cdec0cf
SHA256

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942
SHA512

cec006fe36d20970c97d90116c8a3f375c1b37bfdec45f052c739d9f19bc9c2838aa2df4b71b38f288d089b6d4eeeda3f3e5e0e9b34f0bb102666adb2da8c9ca
SSDEEP

12288:FWCLQIClF5mkXWP3dFwCy6ZnPzmPQuwB6:HQIAFQkXWP3jhLmPl06

Score

10^/10

asyncrat redline 2811 infostealer rat spyware

Malware Config

Extracted

Family

redline

Botnet

2811

C2

81.161.229.143:26910

Attributes

auth_value
ef69aa35b72be83a278c5107422c9e4e

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/964-83-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/964-84-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/964-88-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/964-89-0x000000000045B2CE-mapping.dmp	family_redline
behavioral1/memory/964-91-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/964-93-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/336-85-0x0000000000850000-0x0000000000894000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

bld3tsd.exebld3tsd.exe

pid process

568 bld3tsd.exe
336 bld3tsd.exe
Loads dropped DLL 1 IoCs

Processes:

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe

pid process

2024 cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
568	bld3tsd.exe
336	bld3tsd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bld3tsd.execb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe

description	pid	process	target process
PID 568 set thread context of 336	568	bld3tsd.exe	bld3tsd.exe
PID 2024 set thread context of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exeInstallUtil.exe

pid	process
2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
964	InstallUtil.exe
964	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exebld3tsd.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
Token: SeDebugPrivilege	336	bld3tsd.exe
Token: SeDebugPrivilege	964	InstallUtil.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exebld3tsd.exebld3tsd.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 568	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	bld3tsd.exe
PID 2024 wrote to memory of 568	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	bld3tsd.exe
PID 2024 wrote to memory of 568	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	bld3tsd.exe
PID 2024 wrote to memory of 568	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 568 wrote to memory of 336	568	bld3tsd.exe	bld3tsd.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 2024 wrote to memory of 964	2024	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 336 wrote to memory of 812	336	bld3tsd.exe	cmd.exe
PID 336 wrote to memory of 812	336	bld3tsd.exe	cmd.exe
PID 336 wrote to memory of 812	336	bld3tsd.exe	cmd.exe
PID 336 wrote to memory of 812	336	bld3tsd.exe	cmd.exe
PID 812 wrote to memory of 1628	812	cmd.exe	xcopy.exe
PID 812 wrote to memory of 1628	812	cmd.exe	xcopy.exe
PID 812 wrote to memory of 1628	812	cmd.exe	xcopy.exe
PID 812 wrote to memory of 1628	812	cmd.exe	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
"C:\Users\Admin\AppData\Local\Temp\cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe
    #cmd
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C xcopy "C:\$RECYCLE.BIN" "C:\$RECYCLEE.BIN" /i /c /y /q /t
      4⤵
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\$RECYCLE.BIN" "C:\$RECYCLEE.BIN" /i /c /y /q /t
        5⤵
        Enumerates system info in registry
        
        PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe

Filesize
81KB

MD5
30f7b47afd297f933883c9115c10af2c

SHA1
1e777c0b5c6b52868a6666b44de918bd9e1b5cee

SHA256
280cab1c2ebfeb60675fa55b86f4d408f033b127d18f5feaf6424741689af6b4

SHA512
607e80a778c8eaf8dd5d65e1a888c7bded64a2e3b85b0cce22e1f49a2615d4d69c3e632ff84c1db24d818318c354eccf239174c7fa7166a4da1ff08dfa522c24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe

Filesize
81KB

MD5
30f7b47afd297f933883c9115c10af2c

SHA1
1e777c0b5c6b52868a6666b44de918bd9e1b5cee

SHA256
280cab1c2ebfeb60675fa55b86f4d408f033b127d18f5feaf6424741689af6b4

SHA512
607e80a778c8eaf8dd5d65e1a888c7bded64a2e3b85b0cce22e1f49a2615d4d69c3e632ff84c1db24d818318c354eccf239174c7fa7166a4da1ff08dfa522c24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe

Filesize
81KB

MD5
30f7b47afd297f933883c9115c10af2c

SHA1
1e777c0b5c6b52868a6666b44de918bd9e1b5cee

SHA256
280cab1c2ebfeb60675fa55b86f4d408f033b127d18f5feaf6424741689af6b4

SHA512
607e80a778c8eaf8dd5d65e1a888c7bded64a2e3b85b0cce22e1f49a2615d4d69c3e632ff84c1db24d818318c354eccf239174c7fa7166a4da1ff08dfa522c24

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe

Filesize
81KB

MD5
30f7b47afd297f933883c9115c10af2c

SHA1
1e777c0b5c6b52868a6666b44de918bd9e1b5cee

SHA256
280cab1c2ebfeb60675fa55b86f4d408f033b127d18f5feaf6424741689af6b4

SHA512
607e80a778c8eaf8dd5d65e1a888c7bded64a2e3b85b0cce22e1f49a2615d4d69c3e632ff84c1db24d818318c354eccf239174c7fa7166a4da1ff08dfa522c24

Download Submit
memory/336-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/336-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/336-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/336-76-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/336-85-0x0000000000850000-0x0000000000894000-memory.dmp

Filesize
272KB

Download
memory/336-70-0x000000000041440E-mapping.dmp

Download
memory/336-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/336-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/336-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/336-67-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/568-62-0x00000000010B0000-0x00000000010CA000-memory.dmp

Filesize
104KB

Download
memory/568-63-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/568-59-0x0000000000000000-mapping.dmp

Download
memory/812-86-0x0000000000000000-mapping.dmp

Download
memory/964-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/964-84-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/964-94-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/964-93-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/964-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/964-91-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/964-83-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/964-89-0x000000000045B2CE-mapping.dmp

Download
memory/964-88-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1628-87-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x00000000002E0000-0x000000000037A000-memory.dmp

Filesize
616KB

Download
memory/2024-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/2024-57-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2024-79-0x0000000004DC0000-0x0000000004DC6000-memory.dmp

Filesize
24KB

Download
memory/2024-78-0x0000000004A60000-0x0000000004A7A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads