General
-
Target
1082572a44d4c41214a3c38dcd8289f9.exe
-
Size
14.4MB
-
Sample
240706-njt8pszgqd
-
MD5
1082572a44d4c41214a3c38dcd8289f9
-
SHA1
d1e83fbdc0bfaa92334eb043e3f37bbe1104cd68
-
SHA256
9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
-
SHA512
364bea1a64fa1b0248692ac6239a10f4a38d52a93dcc71502220804061a3c0a2e6d4e0dce45a563e372829998c9cf3a2f44a6c047ec830e9a26eef3510b014d2
-
SSDEEP
393216:iXMxStQvFIeTiQvMipcK5x00D1lR/ggb/Dt:oXU1TzvMInx0QV/D
Static task
static1
Behavioral task
behavioral1
Sample
1082572a44d4c41214a3c38dcd8289f9.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1082572a44d4c41214a3c38dcd8289f9.exe
Resource
win10v2004-20240704-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
0.5.8
Default
94.232.249.204:6606
94.232.249.204:7707
94.232.249.204:8808
qV8NRtqxj5c3
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
Venom Clients
94.232.249.204:6660
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
redline
1
94.232.249.204:1912
Targets
-
-
Target
1082572a44d4c41214a3c38dcd8289f9.exe
-
Size
14.4MB
-
MD5
1082572a44d4c41214a3c38dcd8289f9
-
SHA1
d1e83fbdc0bfaa92334eb043e3f37bbe1104cd68
-
SHA256
9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
-
SHA512
364bea1a64fa1b0248692ac6239a10f4a38d52a93dcc71502220804061a3c0a2e6d4e0dce45a563e372829998c9cf3a2f44a6c047ec830e9a26eef3510b014d2
-
SSDEEP
393216:iXMxStQvFIeTiQvMipcK5x00D1lR/ggb/Dt:oXU1TzvMInx0QV/D
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
StormKitty payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1