asyncrat

General

Target

0ede6bf3fdba01fcacd0d577b820207d.exe
Size

14.5MB
Sample

240729-c3kmtstajb
MD5

0ede6bf3fdba01fcacd0d577b820207d
SHA1

7c609e7552600c33e3db0a691ec28700fd42a497
SHA256

27c6f92ce148b9ea03ca564c57474665b02a1f2e266f0175a548de7a90fd08bf
SHA512

f01dfdf05de8bf1b0ab0f74996d4807448359eb1a38c41d52e4b8de61882e9341a7f9c27c7d8cefdd94e7e0360cebab9451b1109471fe40c03002120aeb4b983
SSDEEP

393216:CXMxStQvFIeTiQvMipcK5x00D1lR/ggb/Dt:IXU1TzvMInx0QV/D

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

diamotrix

C2

176.111.174.140:1912

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

PWhSiRkcxVoa

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  0ede6bf3fdba01fcacd0d577b820207d.exe
- Size
  
  14.5MB
- MD5
  
  0ede6bf3fdba01fcacd0d577b820207d
- SHA1
  
  7c609e7552600c33e3db0a691ec28700fd42a497
- SHA256
  
  27c6f92ce148b9ea03ca564c57474665b02a1f2e266f0175a548de7a90fd08bf
- SHA512
  
  f01dfdf05de8bf1b0ab0f74996d4807448359eb1a38c41d52e4b8de61882e9341a7f9c27c7d8cefdd94e7e0360cebab9451b1109471fe40c03002120aeb4b983
- SSDEEP
  
  393216:CXMxStQvFIeTiQvMipcK5x00D1lR/ggb/Dt:IXU1TzvMInx0QV/D
Score

10^/10

asyncrat redline default diamotrix credential_access discovery execution infostealer persistence pyinstaller rat spyware stealer upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2