asyncrat

Resubmissions

31-07-2024 14:08

240731-rfw5ns1hrb 10

31-07-2024 12:58

240731-p7lrxathnp 10

Sharing

Copy URL

Twitter E-mail

General

Target

Netflix Valid Email Checker.zip
Size

1.8MB
Sample

240731-rfw5ns1hrb
MD5

a8ff2fc3b3d8cb158ef4b3e62f252055
SHA1

bce1e7bf0dab25dea26ae8170fb1f43436061bea
SHA256

5cf1dd4e1137cbdf404266cf62fae5fd1eb59d07afa69a7bfb02c2243fa5ddfc
SHA512

1abc984113f63e51db7c87ce54ef7863523bf22ef549ac23f02183e1970a1ffcac50f8aecaf96b8e8d259e28c8302f662dd1f7812c5efcb5496ec0395a5594b2
SSDEEP

24576:XbCNr5L9wdMm67zifwBtIuoJosWeh0PLi2+F5Byd9I2Ufo2134n5E/CqHx8VdLtL:Xy5qMzzNBdoNhYr+HMbI2Mo216y98Tx

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

diamotrix

176.111.174.140:1912

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

PWhSiRkcxVoa

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Extreme.Net.dll
- Size
  
  121KB
- MD5
  
  f79f0e3a0361cac000e2d3553753cd68
- SHA1
  
  4314bcef76fddc9379a8f3a266b37d685d0adb79
- SHA256
  
  8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd
- SHA512
  
  c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355
- SSDEEP
  
  3072:bdoECIgjBibgp2tBqL0Y++ruXqMG4ih3lbpMqc:bdoECIgUrG
Score

1^/10
behavioral1 behavioral2
- Target
  
  MetroFramework.Design.dll
- Size
  
  16KB
- MD5
  
  c853e9e8c720249198ff376f42328ef9
- SHA1
  
  a56ee195148023571e26ffeaa5a736bc73a76c40
- SHA256
  
  28089707733c92c7fade97e7b6fab4007e7b8bfd6dc7a8526a3ea597f1a30845
- SHA512
  
  d21cf5cfe0a5e2f7d4c128e64e0decee28028297c804319fb957b1f0e60d62e3103976b95abc3d2bd5ba66801cb5fe9bef4bae067273079177be28c73132c739
- SSDEEP
  
  384:k1q4fJwcRJTxK0JLBamLGqPkO9V1VFf5L7W1OYKjbq9w:6q4hwcRBJLBamSqPkO9V1ViGq9
Score

1^/10
behavioral3 behavioral4
- Target
  
  MetroFramework.Fonts.dll
- Size
  
  656KB
- MD5
  
  b8c8a532438c4b421081efb258355469
- SHA1
  
  41aa88d5eaf398da55f712f30226b70492125be1
- SHA256
  
  15a605129cac3663ba1ddb98f5798334fba5e7954ee36a69727299b4e366c2eb
- SHA512
  
  511070c8cfe018e60e11d495393152e10aa2aa0c08cde84678ef3a0efd63ae5c562a47bfab883f4babd469b1873127bacc9c986cb2bc096985176f1dbf93b1fc
- SSDEEP
  
  12288:5+/9JcJlYqCNktA+SXfGpq2fHowSqCNktA+SXfvJR9FrIJJaqCNktA+SXfUC:5+/3qlrCNoh+UqgIwhCNoh+JR9FrIJJw
Score

1^/10
behavioral5 behavioral6
- Target
  
  MetroFramework.dll
- Size
  
  313KB
- MD5
  
  b20f1b5e3d4e3df2d826e9870637cd06
- SHA1
  
  a03bb47afdf9498be409ed5b56e945f6e143fb32
- SHA256
  
  9e58f13deb328455f216f165588b5f5111ecd12042d7dd196686dfb0f0fc68eb
- SHA512
  
  095c5956ebc114c4b380d2b43981bcabd221782530328a51cb2c6aec05a016dad2e5efae36810f6840611f77f589be1e1e7f2200738df3bca222381837033b2d
- SSDEEP
  
  6144:Ys+J/PxfbpAQ1bZHE7Zhm6uOw0g749O2:qJ/PxzpAObhV6uO99O
Score

1^/10
behavioral7 behavioral8
- Target
  
  MetroSuite 2.0.dll
- Size
  
  305KB
- MD5
  
  0d30a398cec0ff006b6ea2b52d11e744
- SHA1
  
  4ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45
- SHA256
  
  8604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654
- SHA512
  
  8e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc
- SSDEEP
  
  3072:K6J2UBugOAI+yjNDWswy1MNo1EvnvkgvloSVQBjDifX0pPSRZ9KZdf8uvqtXfZBF:K6Jr8xhFzfOaa3xqQnQGTO
Score

1^/10
behavioral10 behavioral9
- Target
  
  Netflix Valid Email Checker by X-Splinter v2.exe
- Size
  
  976KB
- MD5
  
  1a4da925d3cfef0f8040ad9858133181
- SHA1
  
  e912d052c7d778eef4a3ab320d8c9e8d905147be
- SHA256
  
  ee5db783f4fcaa53ca4babb8ddb6c143bf34307af0e1f7be9912494c5d071aae
- SHA512
  
  e1ec260669e3f89a9479245dacce1b5b7550ddca437572d69516335575543d138924adffec4202e147347f5cc8fb0c365de83383df5fb740dbe32b8f21eb8a54
- SSDEEP
  
  12288:BiUE6zr+B8DY9yYhaODRgDKqHgo2aqNUazcKhhhhTGyRYpYqh:AUEyavaOWuqAxa+vYl
Score

10^/10

asyncrat redline default diamotrix credential_access discovery infostealer persistence pyinstaller rat spyware stealer upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral11 behavioral12