General

  • Target

    6a2fe740af2f9b1bcf6b4f05bc38c810.exe

  • Size

    48KB

  • Sample

    230210-y5kw9sbc85

  • MD5

    6a2fe740af2f9b1bcf6b4f05bc38c810

  • SHA1

    17f247fb43800115495b4463f10355660e5d5b45

  • SHA256

    1dac278c05c70bc6df9e9eff71a38932549c61f51e1fed6239420a3c542c0476

  • SHA512

    12c428724eece2c7ae9b85fb5b5b95b5151ee9e0a0f5e8b3ab9739d6a7394e9f2374c03b0744c44d14cf10bc75c80f0e9c4e39587065d2db7e69a0286aa3c6ea

  • SSDEEP

    768:mUkPIL2C6y+DiNbik7U8Yb2g1WyCXvEgK/JSTJVc6KN:mU22UzbpAyCXnkJqJVclN

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

135.181.204.51:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    Desktop Window Manager.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

redline

Botnet

cheat

C2

135.181.204.51:20347

Targets

    • Target

      6a2fe740af2f9b1bcf6b4f05bc38c810.exe

    • Size

      48KB

    • MD5

      6a2fe740af2f9b1bcf6b4f05bc38c810

    • SHA1

      17f247fb43800115495b4463f10355660e5d5b45

    • SHA256

      1dac278c05c70bc6df9e9eff71a38932549c61f51e1fed6239420a3c542c0476

    • SHA512

      12c428724eece2c7ae9b85fb5b5b95b5151ee9e0a0f5e8b3ab9739d6a7394e9f2374c03b0744c44d14cf10bc75c80f0e9c4e39587065d2db7e69a0286aa3c6ea

    • SSDEEP

      768:mUkPIL2C6y+DiNbik7U8Yb2g1WyCXvEgK/JSTJVc6KN:mU22UzbpAyCXnkJqJVclN

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks