asyncrat | 333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1

General

Target

333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe
Size

1.5MB
MD5

db361206702d61f0beff5f87508152e5
SHA1

88e52c01ac24fc062221841948700c482090b145
SHA256

333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1
SHA512

3e6d49fbddaf6b005aa087c1345ddd156c43ae0b77f2eed4bc6d120b74ef3157414728066246ba8fa92e715abbb0a8e0704e2bf29fba4249454530ae8de80c74
SSDEEP

24576:Bj8PZOWNKI9g7XEJ859lSYbd0OW5FwBy47rKDBhU6OC2nfLyf7MBTPanM:BEQWlm685KGd0Ogwj7WDk6zOba

Score

10^/10

asyncrat redline tpb-grenn infostealer persistence rat

Malware Config

Extracted

Family

redline

Botnet

TPB-GRENN

C2

amrican-sport-live-stream.cc:4581

Attributes

auth_value
2a11f38d280b0650ef9616b38e3ae877

Extracted

Family

asyncrat

Version

0.5.7B

Mutex

Aakn1515knAakn1515kn

Attributes

c2_url_file
http://update-checker-status.cc/OCB-Async.txt
delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\BREbererbFEcAC\\brwber.EXE\","	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
4184	Pipppuccxtivwagftpb-grenn - reddomain-obufcastesolution.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe
Token: SeDebugPrivilege	1112	InstallUtil.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4184	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	79
PID 4320 wrote to memory of 4184	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	79
PID 4320 wrote to memory of 4184	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	79
PID 4320 wrote to memory of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80
PID 4320 wrote to memory of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80
PID 4320 wrote to memory of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80
PID 4320 wrote to memory of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80
PID 4320 wrote to memory of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80
PID 4320 wrote to memory of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80
PID 4320 wrote to memory of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80
PID 4320 wrote to memory of 1112	4320	333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe	80

C:\Users\Admin\AppData\Local\Temp\333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe
"C:\Users\Admin\AppData\Local\Temp\333bb61be5eb4be9c261a3f99c144cf7be0cee3c00898c1ac6a6c886469e1ab1.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\Pipppuccxtivwagftpb-grenn - reddomain-obufcastesolution.exe
  "C:\Users\Admin\AppData\Local\Temp\Pipppuccxtivwagftpb-grenn - reddomain-obufcastesolution.exe"
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pipppuccxtivwagftpb-grenn - reddomain-obufcastesolution.exe

Filesize
334KB

MD5
52566803b9e6dd804a5bcad48515411e

SHA1
67082b151a39245342b2ad6c367f1be283878775

SHA256
5ef7b280de98eaa5bc116f104f95f300780e4859b0440cb12f9c667bbbbd10f6

SHA512
dab2fee7ea114d8b213f8a10f09d9de1b21a6601b8cf09eeb167378c83d4f91d612f21fc6ca80101fa166ad9155c69010d79fe2b671f21dab7fe6bb278254e55

Download Submit
memory/1112-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1112-37-0x0000000074F20000-0x00000000756D1000-memory.dmp

Filesize
7.7MB

Download
memory/1112-34-0x0000000074F20000-0x00000000756D1000-memory.dmp

Filesize
7.7MB

Download
memory/4184-30-0x00000000053D0000-0x000000000540C000-memory.dmp

Filesize
240KB

Download
memory/4184-31-0x0000000005550000-0x000000000559C000-memory.dmp

Filesize
304KB

Download
memory/4184-25-0x0000000074F20000-0x00000000756D1000-memory.dmp

Filesize
7.7MB

Download
memory/4184-28-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4184-27-0x0000000005440000-0x000000000554A000-memory.dmp

Filesize
1.0MB

Download
memory/4184-26-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/4184-36-0x0000000074F20000-0x00000000756D1000-memory.dmp

Filesize
7.7MB

Download
memory/4184-21-0x0000000000890000-0x00000000008EA000-memory.dmp

Filesize
360KB

Download
memory/4184-22-0x0000000002D00000-0x0000000002D06000-memory.dmp

Filesize
24KB

Download
memory/4184-23-0x0000000074F20000-0x00000000756D1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-6-0x0000000005DC0000-0x0000000006117000-memory.dmp

Filesize
3.3MB

Download
memory/4320-9-0x000000003BFB0000-0x000000003C556000-memory.dmp

Filesize
5.6MB

Download
memory/4320-8-0x000000003B960000-0x000000003B9F2000-memory.dmp

Filesize
584KB

Download
memory/4320-7-0x000000003B130000-0x000000003B196000-memory.dmp

Filesize
408KB

Download
memory/4320-29-0x0000000006160000-0x00000000061A4000-memory.dmp

Filesize
272KB

Download
memory/4320-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/4320-5-0x0000000005D90000-0x0000000005DB2000-memory.dmp

Filesize
136KB

Download
memory/4320-4-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/4320-3-0x0000000074F20000-0x00000000756D1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-35-0x0000000074F20000-0x00000000756D1000-memory.dmp

Filesize
7.7MB

Download
memory/4320-2-0x0000000005860000-0x00000000059DC000-memory.dmp

Filesize
1.5MB

Download
memory/4320-1-0x0000000000D40000-0x0000000000EBE000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads