General
-
Target
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
-
Size
322KB
-
Sample
240729-g4ekes1apf
-
MD5
61c5a8e414a47b8cc2c69e1ac4370a35
-
SHA1
d6d66b31e7ebe3bd032a33fbe35fed2720fae964
-
SHA256
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
-
SHA512
b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92
-
SSDEEP
6144:l5B8DY9c80tk5koaMrtonT8nzkwHgDKFaz4cHgo2TW:rB8DY9yYhaODRgDKiHgo2a
Malware Config
Extracted
redline
diamotrix
176.111.174.140:1912
Extracted
asyncrat
0.5.8
Default
176.111.174.140:6606
176.111.174.140:7707
176.111.174.140:8808
PWhSiRkcxVoa
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Targets
-
-
Target
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
-
Size
322KB
-
MD5
61c5a8e414a47b8cc2c69e1ac4370a35
-
SHA1
d6d66b31e7ebe3bd032a33fbe35fed2720fae964
-
SHA256
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
-
SHA512
b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92
-
SSDEEP
6144:l5B8DY9c80tk5koaMrtonT8nzkwHgDKFaz4cHgo2TW:rB8DY9yYhaODRgDKiHgo2a
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Async RAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3