Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
30-07-2024 16:15
General
-
Target
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
-
Size
322KB
-
MD5
61c5a8e414a47b8cc2c69e1ac4370a35
-
SHA1
d6d66b31e7ebe3bd032a33fbe35fed2720fae964
-
SHA256
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
-
SHA512
b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92
-
SSDEEP
6144:l5B8DY9c80tk5koaMrtonT8nzkwHgDKFaz4cHgo2TW:rB8DY9yYhaODRgDKiHgo2a
Malware Config
Extracted
redline
diamotrix
176.111.174.140:1912
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
0.5.8
Default
176.111.174.140:6606
176.111.174.140:7707
176.111.174.140:8808
PWhSiRkcxVoa
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Async RAT payload 2 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe"C:\Users\Admin\AppData\Local\Temp\4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{2864474C38203701991499}\{2864474C38203701991499}.exe" /sc onstart /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\relog.exeC:\Windows\system32\relog.exe3⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "eLsJA2Rzfc" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe" /sc onstart /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "eLsJA2Rzfc" /tr "C:\Users\Admin\AppData\Roaming\Identities\Service_Identities.exe" /sc onstart /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "eLsJA2Rzfc" /tr "C:\Users\Admin\AppData\Roaming\Macromedia\Service_Macromedia.exe" /sc onstart /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "eLsJA2Rzfc" /tr "C:\Users\Admin\AppData\Roaming\Media Center Programs\Service_Media Center Programs.exe" /sc onstart /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "eLsJA2Rzfc" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" /sc onstart /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "eLsJA2Rzfc" /tr "C:\Users\Admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" /sc onstart /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "eLsJA2Rzfc" /tr "C:\Users\Admin\AppData\Roaming\{2864474C38203701991499}\Service_{2864474C38203701991499}.exe" /sc onstart /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6519.tmp.uIZtAux.exe"C:\Users\Admin\AppData\Local\Temp\6519.tmp.uIZtAux.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\6836.tmp.svchost.exe"C:\Users\Admin\AppData\Local\Temp\6836.tmp.svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\7985.tmp.zbi.exe"C:\Users\Admin\AppData\Local\Temp\7985.tmp.zbi.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\2407.tmp.sahyu.exe"C:\Users\Admin\AppData\Local\Temp\2407.tmp.sahyu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_3056_133668297989820000\test.exe"C:\Users\Admin\AppData\Local\Temp\2407.tmp.sahyu.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\3354.tmp.PwHnaA.exe"C:\Users\Admin\AppData\Local\Temp\3354.tmp.PwHnaA.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5843.tmp.PPGcgnyW.exe"C:\Users\Admin\AppData\Local\Temp\5843.tmp.PPGcgnyW.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6893.tmp.bat""3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D266EBA8-F8A4-4ED0-9BDB-F66802B36212} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exeC:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exeC:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exeC:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
175KB
MD519f436930646f3e8f283fa71f2a4cbcb
SHA199397666d23ddde6078496ee73bde00ae9403393
SHA25640e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff
SHA512addba9ff5bd334ddfec06f87d2c69c06028b82d0aab732f73ef35e84f46d889f48ab6823371a9b9f415e2758e62270866682b833bca7406354802e0157314e0d
-
Filesize
47KB
MD5670d1014ec5713d005f8ddfefc495a9e
SHA191362eaf33dc55e4d970fbefbda975be32628d6b
SHA25670c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd
SHA512175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f
-
Filesize
300KB
MD58d14c4ba7260c61ecde30d97fd3c124a
SHA1f60a7243a5160ff0dd60c37e1de43b81cead3549
SHA2566985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d
SHA512b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c
-
Filesize
321KB
MD56ddd28445b8fc2485cb72f22d1adc936
SHA1403c02d952120aafc6fb659a0ce0b99b1384442c
SHA256d73a9c06d72b25fc9cc1d3883ba52ba949c91297d20f8cff37481d9b442a7ef7
SHA5129abc68fab4c2a37f6cf07e2d1d7baccf26da411969b6dca4508776b9f57e3ed228dbc1a50e6dc4784791bdb86423d1f20c0f4d118c20d23951906a14ebd4682b
-
Filesize
5.2MB
MD50534ab10184891cd61d262bfd79b7b4c
SHA1a13d37959a92bc37f4d3c42eb53d77cc760f448a
SHA256191272e200345dcb0a7a8c8c975a8b07847f07b9d9f0c3af472fdb88092aee0b
SHA512381af090cc87f2f2b8583c28a164f8f2e978c2bdffe3161d37fa30e38c5e026b90ae5f45dd13f9ded8ee207e4694abf2a58256deb8986ec11d802b7578f6be9d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
4.2MB
MD5384349987b60775d6fc3a6d202c3e1bd
SHA1701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA5126bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5
-
Filesize
151B
MD564a5b41881b62d758d0eef7169ef65cf
SHA1b3ce0a9f1fcdcf3fa2791260f80a1a5544e861cb
SHA256bdd04d5db45da91e17f60fb561c30dbc55bec0f33ec5a34098bf4886402dc279
SHA512ce6aec283c05befab339a1d7c694467aafc2662509c1b62d378798ba8ee255d95445f33f729976303b58531ae3758a158f35e313262bfc98f6f6529abaa87121
-
Filesize
322KB
MD561c5a8e414a47b8cc2c69e1ac4370a35
SHA1d6d66b31e7ebe3bd032a33fbe35fed2720fae964
SHA2564da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
SHA512b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92
-
Filesize
1KB
MD52b29aa25ee90747f05e920706e4dfc4f
SHA12ec04aa0574178e5b5245362fdb5b1cfbf4ec637
SHA25693e469a8135addc4822f19a7afb7d02baea8242626188ce3e2b039862fc67511
SHA5122a3f6bda5c957eed82b5fdf39bb33d109c68e39a1e096c944bfe725f027757efa87bc44ea037f9baf47426d0335a12639ff67c626aec3fc1c5c430b2efbf44fb
-
Filesize
1KB
MD5ee9d791fd900430e4d594e5bde5c096a
SHA125dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d
SHA25674c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd
SHA512cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb
-
Filesize
14.0MB
MD5c04a91e68f4d54aac6959c0f8bfa38b7
SHA150578031ed4a270b3e51a1a99d121c0a47546386
SHA256fd8aed52f0a913f9d59e2f1116da4ce8c8d35d95e631b11972aba80933160923
SHA512133ca344372a8634e5bc4a87851dfe6c8d0ae1cac38d59b6004cec4a29a65973b9b65d0ab4d5dc7ce899672a5361f57e8ecf566b1a1f87f34050dcb97083b3fb
-
Filesize
30.6MB
MD5140c6fc5931bec7542b3dc0b08486c4c
SHA111005a2f4afea3913b027940df459a8cca86f8df
SHA256c5fddb56fcb37d5e29a857a5ff53a584a982ae3a5aff1fc670408b202ab1bb37
SHA512be47ea2464a189e6faa64d54daf59d546907ccea778a735eae3118105942e3d67a3d96e8f27d68d28c56d99078839dec139ace95153bab060ee7654a15863a6a
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
328KB
-
Filesize
88KB
-
Filesize
348KB
-
Filesize
268KB
-
Filesize
88KB
-
Filesize
268KB
-
Filesize
72KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
72KB
-
Filesize
392KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
344KB