asyncrat | 81231fab326d0cd2296cc953551d07c82397af3933b18069b54d4943ac8b71bc

General

Target

builder/RedlineBuilder.exe
Size

488KB
MD5

2281dc010aa4af33e4ccfbce434f1435
SHA1

fe15a3ffd6d2341662857ea573f0bde630c20742
SHA256

7e649134ad5f4a718ec7123ec3da26b54c0db2d611c97884d7f181b6a0144438
SHA512

26bb703e5b0ed50eb28675ad72cf46903f2fb904bd424604304187ce34a71529fb2b7fa9d010b0bd6215a8a9fae9af3680816631b13682799fd35249a4733e94
SSDEEP

12288:7IvU+wMi5kp6I7wxqZvo7aTuncDhgBoy48:7I8G177iaSqkR

Score

10^/10

asyncrat redline stormkitty default infostealer persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7290956576:AAEqdtE6cg2Gkoyn1hXNmqRl7-0FVD2J6bE/sendMessage?chat_id=6569055789

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000002a9e7-15.dat	family_redline
behavioral2/memory/4556-24-0x0000000000B10000-0x0000000000B64000-memory.dmp	family_redline

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000028cde-4.dat	family_stormkitty
behavioral2/memory/1048-23-0x0000000000040000-0x0000000000072000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a000000028cde-4.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
1048	Server.exe
4556	RedlineBuilder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Server.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4676	4556	WerFault.exe	79

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Server.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	Server.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1048	448	RedlineBuilder.exe	78
PID 448 wrote to memory of 1048	448	RedlineBuilder.exe	78
PID 448 wrote to memory of 1048	448	RedlineBuilder.exe	78
PID 448 wrote to memory of 4556	448	RedlineBuilder.exe	79
PID 448 wrote to memory of 4556	448	RedlineBuilder.exe	79
PID 448 wrote to memory of 4556	448	RedlineBuilder.exe	79
PID 1048 wrote to memory of 1356	1048	Server.exe	85
PID 1048 wrote to memory of 1356	1048	Server.exe	85
PID 1048 wrote to memory of 1356	1048	Server.exe	85
PID 1356 wrote to memory of 244	1356	cmd.exe	87
PID 1356 wrote to memory of 244	1356	cmd.exe	87
PID 1356 wrote to memory of 244	1356	cmd.exe	87
PID 1356 wrote to memory of 1192	1356	cmd.exe	88
PID 1356 wrote to memory of 1192	1356	cmd.exe	88
PID 1356 wrote to memory of 1192	1356	cmd.exe	88
PID 1356 wrote to memory of 760	1356	cmd.exe	89
PID 1356 wrote to memory of 760	1356	cmd.exe	89
PID 1356 wrote to memory of 760	1356	cmd.exe	89
PID 1048 wrote to memory of 2360	1048	Server.exe	90
PID 1048 wrote to memory of 2360	1048	Server.exe	90
PID 1048 wrote to memory of 2360	1048	Server.exe	90
PID 2360 wrote to memory of 2280	2360	cmd.exe	92
PID 2360 wrote to memory of 2280	2360	cmd.exe	92
PID 2360 wrote to memory of 2280	2360	cmd.exe	92
PID 2360 wrote to memory of 2436	2360	cmd.exe	93
PID 2360 wrote to memory of 2436	2360	cmd.exe	93
PID 2360 wrote to memory of 2436	2360	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\builder\RedlineBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\builder\RedlineBuilder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:244
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1192
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2436
- C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe
  "C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe"
  2⤵
  - Executes dropped EXE
  PID:4556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 892
    3⤵
    - Program crash
    PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4556 -ip 4556
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\860ec41999678dbb4640d20d917c2e80\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe

Filesize
308KB

MD5
128cbb0f113189a8af347f14cb223357

SHA1
7472ff8bcf4b6ab90e30ec0352f0ecb44c655cf7

SHA256
a392dc6ad27dbc999aef5db8efaa63a65e570ca3bff7a79c5053ce7b7ba41a0e

SHA512
1bddf607e1e8ef32d39e16fcb9d9d87573f61ceee9a898c287ad236beaea818b223a28196395145a7b3eca5883e5da5b3a3dc0273fd66d64e103c24739868b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
175KB

MD5
a10cc05978289eb72c91f571adbd4351

SHA1
473fdf9c0738acc630903ca60280beef9ac88932

SHA256
a794873c8b6f3951d1b7376732b37e89ab384fd4c9b33ee35fa7579815bd8095

SHA512
9de9da9b7db02a9f3eb40f380063ccef24026a3331218a4a661222500ec6404bbe98ec336af3c06ba571d725ee3f815db115efb7cee8ec395bcfe0b97014c9f3

Download Submit
C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\dd62923de7da06aa2ea0d147a2242765\Admin@IMKBEUOX_en-US\System\Process.txt

Filesize
4KB

MD5
dd590eaeeee289d7bd237dd684af784b

SHA1
1f8ff346f43491a724ee6870747ebe5586b3f93d

SHA256
7c335f5ddd29d6d5d37f86eaae448645e7ba4d54b4132bdd58ece2c8f1596221

SHA512
0ad30373f63246e9588c8ffce7def1eceef9ca54337616507d052b772ffa6642c0c8f8bd969394ae17cde67574de263489862179fcfd5cc229a5bf77ff546ad3

Download Submit
memory/1048-28-0x00000000049A0000-0x0000000004A06000-memory.dmp

Filesize
408KB

Download
memory/1048-167-0x0000000073B20000-0x00000000742D1000-memory.dmp

Filesize
7.7MB

Download
memory/1048-179-0x0000000073B20000-0x00000000742D1000-memory.dmp

Filesize
7.7MB

Download
memory/1048-178-0x0000000073B20000-0x00000000742D1000-memory.dmp

Filesize
7.7MB

Download
memory/1048-23-0x0000000000040000-0x0000000000072000-memory.dmp

Filesize
200KB

Download
memory/1048-177-0x0000000073B2E000-0x0000000073B2F000-memory.dmp

Filesize
4KB

Download
memory/1048-165-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/1048-26-0x0000000073B20000-0x00000000742D1000-memory.dmp

Filesize
7.7MB

Download
memory/1048-166-0x0000000005BA0000-0x0000000006146000-memory.dmp

Filesize
5.6MB

Download
memory/1048-171-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/1048-21-0x0000000073B2E000-0x0000000073B2F000-memory.dmp

Filesize
4KB

Download
memory/4556-24-0x0000000000B10000-0x0000000000B64000-memory.dmp

Filesize
336KB

Download
memory/4556-25-0x0000000073B20000-0x00000000742D1000-memory.dmp

Filesize
7.7MB

Download
memory/4556-27-0x0000000073B20000-0x00000000742D1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads