Analysis

  • max time kernel
    149s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2023, 20:07

General

  • Target

    panel.exe

  • Size

    170KB

  • MD5

    470a8267b5eba7eb998d9fa69532f849

  • SHA1

    1152ddb2ab93aae9983e3e8b5c4f367875323e3e

  • SHA256

    6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

  • SHA512

    5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

  • SSDEEP

    3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Async RAT payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\panel.exe
    "C:\Users\Admin\AppData\Local\Temp\panel.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4796
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:1088
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:1148
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3324
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:4756
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:2392

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\Browsers\Firefox\Bookmarks.txt

                    Filesize

                    105B

                    MD5

                    2e9d094dda5cdc3ce6519f75943a4ff4

                    SHA1

                    5d989b4ac8b699781681fe75ed9ef98191a5096c

                    SHA256

                    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                    SHA512

                    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                  • C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\Admin@ROBKQPFG_en-US\System\Process.txt

                    Filesize

                    4KB

                    MD5

                    fa4ce21358a2a8e505335c281c2d9a10

                    SHA1

                    4341fbdd6ae5f9a9eab36e91153b849163a8de11

                    SHA256

                    d52d5ee16cbeaf78323955fbd458ed6cd62ea9613343a0261dd0b29ddfb59275

                    SHA512

                    2e5418c644ca8d882526ab20d0423e40bc821ad2b9e45de15e87e9381fc5c98945b1d45e8f27819e280dee6bc9de0d152df49f7dc736f042e79e7e81f6f06db4

                  • C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\msgid.dat

                    Filesize

                    4B

                    MD5

                    32b3ee0272954b956a7d1f86f76afa21

                    SHA1

                    3eaf3c4852eb47b67a2e8e02b825b3f492db6d59

                    SHA256

                    dfc04c940f3b91d8a8316579ecd027fb98be2ead43b0a0bacf78a12babae4d05

                    SHA512

                    83d24c6f19496c1c32409cd7be2dab0de63d638818440fae5bc60c7156353c2692fdece32a271ef9a777370c8cb4ec0aeb798d46e92ce5273a27cc9c96697ad9

                  • memory/1956-271-0x00000000066E0000-0x0000000006772000-memory.dmp

                    Filesize

                    584KB

                  • memory/1956-136-0x0000000005B80000-0x0000000005BE6000-memory.dmp

                    Filesize

                    408KB

                  • memory/1956-270-0x0000000005A00000-0x0000000005A10000-memory.dmp

                    Filesize

                    64KB

                  • memory/1956-133-0x0000000000DF0000-0x0000000000E20000-memory.dmp

                    Filesize

                    192KB

                  • memory/1956-272-0x0000000006D30000-0x00000000072D4000-memory.dmp

                    Filesize

                    5.6MB

                  • memory/1956-274-0x0000000005A00000-0x0000000005A10000-memory.dmp

                    Filesize

                    64KB

                  • memory/1956-277-0x0000000001370000-0x000000000137A000-memory.dmp

                    Filesize

                    40KB

                  • memory/1956-135-0x0000000005A00000-0x0000000005A10000-memory.dmp

                    Filesize

                    64KB

                  • memory/1956-283-0x00000000067A0000-0x00000000067B2000-memory.dmp

                    Filesize

                    72KB

                  • memory/1956-134-0x0000000005A00000-0x0000000005A10000-memory.dmp

                    Filesize

                    64KB