Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    1.5MB

  • Sample

    230303-qht8eshe85

  • MD5

    43c3f3e2e28157583e7eda204b2b103f

  • SHA1

    43939dc8d125df242075d47edd696f6276f7ecb7

  • SHA256

    280474eb2d29702b7026467d357d2a34d58c08c82a264c174bce9e4bf694c19b

  • SHA512

    6721ad923a1b5329addf034c8decd7d1aee3db800ef19064cfd7d077211d938aab6bb654751b6443cd19bb7a8b6896139787e9379522b3be5e8c5b492c75ef63

  • SSDEEP

    12288:qP5IhyeomsP5LxH94zj9jljH0bStIswondr1fDzqJVxLsE8LX:1QYrpDzq1uL

Score
10/10
asyncratpurecrypterredlinesmokeloadercheat-menubackdoordiscoverydownloaderinfostealerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

CHEAT-MENU

C2

amrican-sport-live-stream.cc:4581

Attributes
  • auth_value

    e948baa7e2fc2d71d02a5864e088ed36

Extracted

Family

asyncrat

Version

0.5.7B

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

smokeloader

Version

2022

C2

http://glueberry-og.cc/

http://glueberry-og.co/

http://glueberry-og.to/
rc4.i32
rc4.i32

Targets

    • Target

      tmp

    • Size

      1.5MB

    • MD5

      43c3f3e2e28157583e7eda204b2b103f

    • SHA1

      43939dc8d125df242075d47edd696f6276f7ecb7

    • SHA256

      280474eb2d29702b7026467d357d2a34d58c08c82a264c174bce9e4bf694c19b

    • SHA512

      6721ad923a1b5329addf034c8decd7d1aee3db800ef19064cfd7d077211d938aab6bb654751b6443cd19bb7a8b6896139787e9379522b3be5e8c5b492c75ef63

    • SSDEEP

      12288:qP5IhyeomsP5LxH94zj9jljH0bStIswondr1fDzqJVxLsE8LX:1QYrpDzq1uL

    Score
    10/10
    asyncratpurecrypterredlinesmokeloadercheat-menubackdoordiscoverydownloaderinfostealerloaderpersistenceratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect PureCrypter injector

      loader

    • Detects Smokeloader packer

    • Modifies WinLogon for persistence

      persistence

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks