asyncrat

Sharing

General

Target

08d215fd35494280e6397e8bc527bd6de64eb78a73acd3bd07a01da376ed4cb7
Size

19.6MB
Sample

240316-embq4abd5t
MD5

844d06a617687dec8baef97423d3a6e1
SHA1

ce4bf971d64c3dcb16b720b3291e5c34de91035f
SHA256

08d215fd35494280e6397e8bc527bd6de64eb78a73acd3bd07a01da376ed4cb7
SHA512

69858f7b1c715aeba871ed2e921242da970b1ef6f061c129e5ae2af15935aa44d91f3bd0c9abf2345969b3a36019bd6daa2a2a027cb3e12de96338a01439d469
SSDEEP

393216:jtKgICYntWuBAaWdNWgUYflqQBlwSjFce/f1MSo91pAc:J+ntzAaWdsgZqsxCeX1MJpAc

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

001

45.67.231.52:81

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

shortcut2021.duckdns.org:6001

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

1488

91.194.11.64:81

Extracted

Family

fickerstealer

109.234.35.192:80

Targets

- Target
  
  001.txt
- Size
  
  1.4MB
- MD5
  
  1cab063cc0c194cc5c81e71aad8a94e0
- SHA1
  
  bb4d5267f05e3e4f42ad7576f8a8e57a47da5653
- SHA256
  
  4ccc480c0ae855a876e266122a05dea65506fadedee20f1857525a41ef3932f8
- SHA512
  
  93fe579300d1db29f1b3ed75db9529d5bef48af1db8d947a9883e06e9c3a75ecf82f563dd163a333ad81562e95fd6c2d6d6f3f9f5fa05e0344ee85cd251365f3
- SSDEEP
  
  6144:kyRQUPQSetlQnZcONGhSJvVP1fHvq05qHE:kyR
Score

10^/10

redline 001 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing credit card regular expressions
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  1488.txt
- Size
  
  1.4MB
- MD5
  
  ce0f93d2bb7f18632d6695cf4800f436
- SHA1
  
  c36922e5580cf622752115f2c8fa95278ad455a7
- SHA256
  
  9624e9bf93ace2e4b9106fb1b30c1dfb9de68bf63f4fb9559f11078569fbe334
- SHA512
  
  df13fbc9df58029868f442b84f5b24cea6cab0fe019898dce524ed99876642db4ae0ad2226d35c7fa75f8a43644cfb36d3a9a4ad6c2bfe67ddd9709af604b99b
- SSDEEP
  
  6144:QVUWkqsPUI4MZEDjklKbkAtG17jBH6Em5lUTpwXHxCJfvELiC:QhkqsP
Score

10^/10

redline 1488 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing credit card regular expressions
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  1_cr.txt
- Size
  
  847KB
- MD5
  
  af067a53dcecb2f527a351a6491c56b9
- SHA1
  
  845f59d0324b2577979b51a8e66689f6f604ecde
- SHA256
  
  9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d
- SHA512
  
  e9cc332f2108be20acbdafe91a6ee8d489eddb05b752a05d5372a468ea6c95215ca06fb0881b49fc20fac9f0d602a665272b70997df4414ea98a016f60e4fd71
- SSDEEP
  
  24576:TAHnh+eWsN3skA4RV1Hom2KXMmHamV55:eh+ZkldoPK8Yamt
Score

5^/10
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  1cr.txt
- Size
  
  667KB
- MD5
  
  8c56ecce67e5e43e872863f41fe03eab
- SHA1
  
  ad4785bf01141163053f421d15fe76a460836c9b
- SHA256
  
  25eb1831bf580a45f9464bcf50ef2b3d35021f6eb5e42874b2dd8fd8544cf853
- SHA512
  
  63ade7eca68d011e979e2ff0568899136b3fec35370959fafe751edfff379e88b25431584e9cdc80c4d7354b9f6ed894ae4b9e6402d51a0af82f1544299c1a1c
- SSDEEP
  
  12288:XNECjrWAEX1Cfy0BTutPKgUlPB8+OuIwYs84X7IY4sCjlbg4xWvVf:XNNjryCf1BTuIXlPB8+ODwYG7IY4sCjq
Score

10^/10

fickerstealer infostealer
- Fickerstealer
  Ficker is an infostealer written in Rust and ASM.
  infostealer fickerstealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  1fc2d.txt
- Size
  
  3.5MB
- MD5
  
  8f94297c9a87de5c84a3c6b2d43a3809
- SHA1
  
  611cb3591c6a428f01f82c08c4bea4972635445f
- SHA256
  
  e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048
- SHA512
  
  033e87be95251798d567dc80d2582880126372668dc021bd008be439d73768b94340301e1ceee3ed2833f73cc35fafc5b522147ddd25a3b685508cd3c363e4a5
- SSDEEP
  
  1536:U6+o7BcTd7F+jNFIuj+pVlw4lNJz1VD3zzvizZ5systS34UfNS34Uf:UmFCsZF1jg7TJz15PNyxs
Score

10^/10

pandastealer shurk infostealer spyware stealer
- Panda Stealer payload
- PandaStealer
  Panda Stealer is a fork of CollectorProject Stealer written in C++.
  stealer pandastealer
- Shurk
  Shurk is an infostealer, written in C++ which appeared in 2021.
  infostealer shurk
- Shurk Stealer payload
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  6e7_2021-01-19_18-04.txt
- Size
  
  509KB
- MD5
  
  d4827f2bb4c0446d1bba5df00c2436b8
- SHA1
  
  69db7a9dd71235671819472bf2d55bb3eeaf11ea
- SHA256
  
  235e42b187151383ebb91cb85af8500f19e18906bf57917fcf9e0da7004c86ff
- SHA512
  
  9c3429767a76dfcaeaf6bc1b032d71ddb04a6d7f2956eb390cde050e5965fc0e8d2affb3b31061307f76f68c9c0e90e7f3908a73081c044ff89de88ff92307a5
- SSDEEP
  
  12288:abmDTkUymtqTNbr2piRpjhV5gJtO+PbBJgSIg:aaDTMmtg1rBQ4+PcSV
Score

10^/10

raccoon stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- UPX dump on OEP (original entry point)
behavioral11 behavioral12
- Target
  
  Abjects.txt
- Size
  
  51KB
- MD5
  
  ce328046ab3836eef7177159d6e080af
- SHA1
  
  596a87e18b4d9789c6fd167ac90036560f4382bc
- SHA256
  
  f14535ebeec9ecd43865283cdbdcf4a29548055d64977da1d07255dd8bf00edf
- SHA512
  
  27edd18f8f14b63f4ff62ebb0c856590dd7c255fd8d1c025d0ab547761dc7b486b8dc559443ea324ada54019f17e11917fb1712eaa9de53797cb09f61b7db0a2
- SSDEEP
  
  768:j06cofrE9MroWR8YcPMeQi/3Go8LqaI6gFS1r2GSZ:Qx/9q9eYLEfGo8OaIqcZ
Score

1^/10
behavioral13 behavioral14
- Target
  
  BattleText.txt
- Size
  
  79KB
- MD5
  
  ac98d5e7f59a9feb167f01c6749baccb
- SHA1
  
  80be262b88d22230ebd7a44e03ddd810092fdfb5
- SHA256
  
  c7e4b8b9ded5df50dc1b2b8e6af95cb6cfb310c20be19c879c48a83371b345da
- SHA512
  
  6ff2a6713691b097ccd678f6275624ed88561aa4458a3d5e2b9bfece60d4cfccdf0c4a88aba0728569126648c1a93972c45807ae077c60203f1eee63f5bca368
- SSDEEP
  
  768:nMEuOeT2wsgkVTMEAnqqbiHsT5OzK5cFCdkS4hqXoxWbeVLJE0PZL:MD9yQkrAPasTAzK5NdkuYxE4/PZL
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detects executables containing URLs to raw contents of a Github gist
- Detects file containing reversed ASEP Autorun registry keys
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  HANS.txt
- Size
  
  481KB
- MD5
  
  1f0c86722e882c3a2e1b2aced5b338d6
- SHA1
  
  2a1c02f4dcd53906dda8703219b7505fad15df03
- SHA256
  
  1c83962ea10ce2aac61fe881ae8d79514148be5fc90c121a6fa285d6f640ee0c
- SHA512
  
  e38b5c86610a07e85247e9eb571aeb750e8f867d637ff0e40c1067720ac51a50c9dfe7942a0854a2bb2318ce747f449549818c23a9859b03a64a4376a6bc5439
- SSDEEP
  
  768:GQhHZlSpiyA1HS1dAT0zocdB3KtvTe3DDv9mmLc5YlvmmLzEVYKDDYEwmpD3YemZ:phHZlQiV1SkT0zocd4y6ZY
Score

1^/10
behavioral17 behavioral18
- Target
  
  Hulu.txt
- Size
  
  1.4MB
- MD5
  
  64be5264f3a58325446865be38c05b34
- SHA1
  
  fdbad9468075747a4999b7b30fa7cb7b60fdcb4e
- SHA256
  
  561a8b830e902a0ba18457a0aa8db8a8c663de8ee33e6009f236cedff00f8cbb
- SHA512
  
  d48fac03082d1f12cf1d175978f64e9d2df467828601b34474c77bf139c6c0dae5002ad2f1e106c46e6fb6c4ef8083e011931a74dd0adcbb0a43cdeae16cd0d0
- SSDEEP
  
  24576:Z53uhF9SQLLqzkUQrRjlOYvsiEP+tsDirDlmLrgH4tN96yk8ISOm1w+p6njCph5r:Z5+hFsQLLqAllIqsDirDlAOUw+4852Y
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  IntelFIVE.txt
- Size
  
  770KB
- MD5
  
  eb39c3a8f12a353ca9a0f64a2d2b9966
- SHA1
  
  8eca1c63a7110d2cc432e8e8e753462b26306fc4
- SHA256
  
  8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
- SHA512
  
  8423a45274f8f082805e5cd174abcd08b80c737b4ab3aa3a1669d862db2fa168893cec5d448650dd5bd70f5fd72f78febfc2fac57c88ebe2d14bd8575b6dd8d0
- SSDEEP
  
  24576:U2G/nvxW3Ww0tOLz3NbQYwkadPFxcJqGhH3:UbA30oz9bQYraJCH3
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral21 behavioral22
- Target
  
  IntelFOUR.txt
- Size
  
  741KB
- MD5
  
  6a845ba103296108ad6414a3c9217718
- SHA1
  
  f3a9926564a7eaa68bf1623ebe2f6ab21727a817
- SHA256
  
  6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
- SHA512
  
  e538f72665e4dd956457dc0f526ad0b610e09a203f5f00943dda1793b8ef32a68d32a58ec241053cee8376ddf5fa14b473d2f7d1fc62e72f2071def5b873e893
- SSDEEP
  
  12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbDE8/hma/27kMlVjHfKQxtz1oV7svLThNKRC2M:U2G/nvxW3Ww0tDEc+7kMuQx11oVKhNK8
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral23 behavioral24
- Target
  
  IntelONE.txt
- Size
  
  646KB
- MD5
  
  8e2288bfb74d2422ff22218f8210fd22
- SHA1
  
  c410f0f02896223cc74ca1262b955bb862cf2274
- SHA256
  
  5cbafb76c6a0e930414647523ffb4abe9d9ab7f41270ddf4c4ef5d9fd1f39346
- SHA512
  
  4b98bd5d727d127815a2f515388a9391e7240113c68eac95b39780b27d30e12a8c2d918537e612bb2e905404859284a54ea35bcf4ae5cc349529dafa3b5f01f7
- SSDEEP
  
  12288:aRZ+IoG/n9IQxW3OBsee2X+t4RblkFZpTXbHVEivmHQVOfGYXbs2F:U2G/nvxW3Ww0tlkPprb1EifAvgm
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral25 behavioral26
- Target
  
  IntelTHREE.txt
- Size
  
  642KB
- MD5
  
  53f6085a88b29018218521fc53bfe959
- SHA1
  
  12431511010c77e08129ed808e507c5c761ab8b1
- SHA256
  
  7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4
- SHA512
  
  b382297f90b596553f25f1b09c1630d124e3dec3f78c6721a1a1d35a57132d70bb719f428635f9e7c8cfe42660ef7975b4576f89783b45a631cf2ec2487efd59
- SSDEEP
  
  12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbU82JP/ZvTelU1Xsbt/Y33/jLRp8c:U2G/nvxW3Ww0tUlRTCQWt/A/jLDp
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral27 behavioral28
- Target
  
  IntelTWO.txt
- Size
  
  603KB
- MD5
  
  d2054b1b66e0d190be9eb250fada79fa
- SHA1
  
  4828278c03885c1de97d601ddd2ee5a6267e73e2
- SHA256
  
  91b886840c7f674d17b48e5d2264228a55fe0f28e32e102c84dad5cca49ed807
- SHA512
  
  e1722f7b72b80e4a8a502c9b6678878757110226ca03083282604d70afa2c000fd87c91e59d40033f287ca58b734fca5760094ee69780ff7045b86f521f25c73
- SSDEEP
  
  12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbJchE4GyRgh3uxBBtIanFi4DqC:U2G/nvxW3Ww0tJapnTBtIaFSC
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral29 behavioral30
- Target
  
  Lucky_Fixed.exe
- Size
  
  267KB
- MD5
  
  c481259ad199b773339f168902cc7437
- SHA1
  
  4c9a81f2a9167f953109eddbd141ea8d078d13e9
- SHA256
  
  1da5a6aac7197d1fcadef018775831885b715d5c37a3115777dc5c717ce6e0da
- SHA512
  
  5bc8965e9aa550f3e37b312f3d4a6854b0002f42b5a111087a754e3ed7cdcf957b40f6bebc389b405317b46eeaed88132545732daac74723945591ae38cdcabf
- SSDEEP
  
  6144:SKZ99xDMMlG36rxMMlNu76Y996uSMH9Z6kMrlNfoMSMlG36rxMMlSHoSf6kYMH6/:SKZ99xDMMlG36rxMMlNu76Y996uSMH9s
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

RedLine

RedLine payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing credit card regular expressions

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

RedLine

RedLine payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing credit card regular expressions

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Fickerstealer

Looks up external IP address via web service

Suspicious use of SetThreadContext

Panda Stealer payload

PandaStealer

Shurk

Shurk Stealer payload

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Checks computer location settings

Reads user/profile data of web browsers

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Raccoon

Raccoon Stealer V1 payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many email and collaboration clients. Observed in information stealers

UPX dump on OEP (original entry point)

Detects executables containing URLs to raw contents of a Github gist

Detects file containing reversed ASEP Autorun registry keys

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Checks computer location settings

Checks computer location settings

Checks computer location settings

Checks computer location settings

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19