General

  • Target

    deepweb.exe

  • Size

    95KB

  • Sample

    231121-2s66hsha65

  • MD5

    7a51a34ca5ccfe6eb43ef6abc0f92d46

  • SHA1

    115643f90fb03144d2486f3a5f1b67d9cd8b42f1

  • SHA256

    5675b6a982a8224078a4c5338480f37f536a29ade205f85a39d2cbe6cc28815d

  • SHA512

    e4756b82c6d8e82885842439d87675d8227ac0375d4b363f411caef06e7f3179d4a406d58ee5167826f9f3b5b3efd31f727ec6e2efa62eb0b1a5d13e134d8f88

  • SSDEEP

    1536:5qskbqDylbG6jejoigIj43Ywzi0Zb78ivombfexv0ujXyyed2HtmulgS6p8l:X2wiYj+zi0ZbYe1g0ujyzd38

Malware Config

Extracted

Family

redline

Botnet

11/21/23

C2

91.92.241.80:1337

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

11/15/24INJECT

Mutex

561465416dfg14reg14t43684436t8453434

Attributes
  • delay

    5

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

asyncrat

Version

q5/FrDGAeLVkSXsaonU5rhB8ApDVsV3LVfxwRFqOBNVJjCmLe0ijZ8ch441TIv9e�YhaXJNUHbu8WUppfMiLX2rSEzMECSm0OuN4rgt8ugMlS32dIyps7WOjUa6Pjz2/

Botnet

11/15/24INJECT

Mutex

561465416dfg14reg14t43684436t8453434

Attributes
  • delay

    5

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      deepweb.exe

    • Size

      95KB

    • MD5

      7a51a34ca5ccfe6eb43ef6abc0f92d46

    • SHA1

      115643f90fb03144d2486f3a5f1b67d9cd8b42f1

    • SHA256

      5675b6a982a8224078a4c5338480f37f536a29ade205f85a39d2cbe6cc28815d

    • SHA512

      e4756b82c6d8e82885842439d87675d8227ac0375d4b363f411caef06e7f3179d4a406d58ee5167826f9f3b5b3efd31f727ec6e2efa62eb0b1a5d13e134d8f88

    • SSDEEP

      1536:5qskbqDylbG6jejoigIj43Ywzi0Zb78ivombfexv0ujXyyed2HtmulgS6p8l:X2wiYj+zi0ZbYe1g0ujyzd38

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Async RAT payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks