asyncrat | cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942

General

Target

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
Size

674KB
MD5

41335f83156230e62b02ea6831eb6351
SHA1

b88b3b41e61c8633316b36bac395bd9d5cdec0cf
SHA256

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942
SHA512

cec006fe36d20970c97d90116c8a3f375c1b37bfdec45f052c739d9f19bc9c2838aa2df4b71b38f288d089b6d4eeeda3f3e5e0e9b34f0bb102666adb2da8c9ca
SSDEEP

12288:FWCLQIClF5mkXWP3dFwCy6ZnPzmPQuwB6:HQIAFQkXWP3jhLmPl06

Score

10^/10

asyncrat redline 2811 infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

2811

C2

81.161.229.143:26910

Attributes

auth_value
ef69aa35b72be83a278c5107422c9e4e

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3064-152-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

bld3tsd.exebld3tsd.exe

pid process

2524 bld3tsd.exe
3884 bld3tsd.exe

pid	process
2524	bld3tsd.exe
3884	bld3tsd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe

Loads dropped DLL 1 IoCs

Processes:

bld3tsd.exe

pid process

3884 bld3tsd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3884	bld3tsd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bld3tsd.execb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe

description	pid	process	target process
PID 2524 set thread context of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 4572 set thread context of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exeInstallUtil.exe

pid	process
4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
3064	InstallUtil.exe
3064	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exebld3tsd.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
Token: SeDebugPrivilege	3884	bld3tsd.exe
Token: SeDebugPrivilege	3064	InstallUtil.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exebld3tsd.exebld3tsd.execmd.exe

description	pid	process	target process
PID 4572 wrote to memory of 2524	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	bld3tsd.exe
PID 4572 wrote to memory of 2524	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	bld3tsd.exe
PID 4572 wrote to memory of 2524	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	bld3tsd.exe
PID 2524 wrote to memory of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 2524 wrote to memory of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 2524 wrote to memory of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 2524 wrote to memory of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 2524 wrote to memory of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 2524 wrote to memory of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 2524 wrote to memory of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 2524 wrote to memory of 3884	2524	bld3tsd.exe	bld3tsd.exe
PID 4572 wrote to memory of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 4572 wrote to memory of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 4572 wrote to memory of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 4572 wrote to memory of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 4572 wrote to memory of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 4572 wrote to memory of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 4572 wrote to memory of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 4572 wrote to memory of 3064	4572	cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe	InstallUtil.exe
PID 3884 wrote to memory of 1896	3884	bld3tsd.exe	cmd.exe
PID 3884 wrote to memory of 1896	3884	bld3tsd.exe	cmd.exe
PID 3884 wrote to memory of 1896	3884	bld3tsd.exe	cmd.exe
PID 1896 wrote to memory of 3988	1896	cmd.exe	xcopy.exe
PID 1896 wrote to memory of 3988	1896	cmd.exe	xcopy.exe
PID 1896 wrote to memory of 3988	1896	cmd.exe	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe
"C:\Users\Admin\AppData\Local\Temp\cb6868475e1cbfc57a9dbc3dab3bc725e91fe0e942e457f63085ce21b87a3942.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe
    #cmd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C xcopy "C:\$RECYCLE.BIN" "C:\$RECYCLEE.BIN" /i /c /y /q /t
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\$RECYCLE.BIN" "C:\$RECYCLEE.BIN" /i /c /y /q /t
        5⤵
        Enumerates system info in registry
        
        PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\2795BC26328C2D2A1C62FFC5F66B25CD\32\sqlite.interop.dll

Filesize
1.3MB

MD5
9b68a8d0393fbce1976c19107422f097

SHA1
b645fc9aff04f1de9d31d4c4b965ae0a1e3549d0

SHA256
f16dea838efc5b074f8d8b2f8e14ab77ec744648b1d5dd550456c2f99c12bbdc

SHA512
7989b760012fcab665591c2528d8ecaead09cd9cd74a7208ef6177b36581d381574d007a31bb4c55da7bc793000bf71be546b1caec59c380ab8962ea2b719933

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe

Filesize
81KB

MD5
30f7b47afd297f933883c9115c10af2c

SHA1
1e777c0b5c6b52868a6666b44de918bd9e1b5cee

SHA256
280cab1c2ebfeb60675fa55b86f4d408f033b127d18f5feaf6424741689af6b4

SHA512
607e80a778c8eaf8dd5d65e1a888c7bded64a2e3b85b0cce22e1f49a2615d4d69c3e632ff84c1db24d818318c354eccf239174c7fa7166a4da1ff08dfa522c24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe

Filesize
81KB

MD5
30f7b47afd297f933883c9115c10af2c

SHA1
1e777c0b5c6b52868a6666b44de918bd9e1b5cee

SHA256
280cab1c2ebfeb60675fa55b86f4d408f033b127d18f5feaf6424741689af6b4

SHA512
607e80a778c8eaf8dd5d65e1a888c7bded64a2e3b85b0cce22e1f49a2615d4d69c3e632ff84c1db24d818318c354eccf239174c7fa7166a4da1ff08dfa522c24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bld3tsd.exe

Filesize
81KB

MD5
30f7b47afd297f933883c9115c10af2c

SHA1
1e777c0b5c6b52868a6666b44de918bd9e1b5cee

SHA256
280cab1c2ebfeb60675fa55b86f4d408f033b127d18f5feaf6424741689af6b4

SHA512
607e80a778c8eaf8dd5d65e1a888c7bded64a2e3b85b0cce22e1f49a2615d4d69c3e632ff84c1db24d818318c354eccf239174c7fa7166a4da1ff08dfa522c24

Download Submit
memory/1896-148-0x0000000000000000-mapping.dmp

Download
memory/2524-137-0x0000000000000000-mapping.dmp

Download
memory/2524-140-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/3064-156-0x000000000AF10000-0x000000000AF4C000-memory.dmp

Filesize
240KB

Download
memory/3064-158-0x000000000C0E0000-0x000000000C130000-memory.dmp

Filesize
320KB

Download
memory/3064-153-0x000000000B420000-0x000000000BA38000-memory.dmp

Filesize
6.1MB

Download
memory/3064-154-0x000000000AF80000-0x000000000B08A000-memory.dmp

Filesize
1.0MB

Download
memory/3064-157-0x000000000CF10000-0x000000000D43C000-memory.dmp

Filesize
5.2MB

Download
memory/3064-144-0x0000000000000000-mapping.dmp

Download
memory/3064-152-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3064-155-0x000000000AEB0000-0x000000000AEC2000-memory.dmp

Filesize
72KB

Download
memory/3884-142-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3884-147-0x0000000007330000-0x000000000734E000-memory.dmp

Filesize
120KB

Download
memory/3884-146-0x0000000007290000-0x0000000007306000-memory.dmp

Filesize
472KB

Download
memory/3884-151-0x0000000009030000-0x00000000091F2000-memory.dmp

Filesize
1.8MB

Download
memory/3884-145-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/3884-141-0x0000000000000000-mapping.dmp

Download
memory/3988-149-0x0000000000000000-mapping.dmp

Download
memory/4572-135-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download
memory/4572-133-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/4572-134-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/4572-132-0x0000000000750000-0x00000000007EA000-memory.dmp

Filesize
616KB

Download
memory/4572-136-0x00000000064B0000-0x00000000064BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads