Extracted

Extracted

• • Target

    59d3bc9ca446bf4fcce3a93cdbce134a.exe

  • Size

    322KB

  • MD5

    59d3bc9ca446bf4fcce3a93cdbce134a

  • SHA1

    37120e1b71956b5f3852605db0f33f4565a3952d

  • SHA256

    1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db

  • SHA512

    d23ddc6d55d8bf237e68d946f1a330a14907ea2b891ccea0890f63ee0f47f746b6e1d9d2151da1744b36d14b06b428fe308ffd97ae44732f3491682610950b63

  • SSDEEP

    6144:3RptkRZIFoIkY/7J81GyQUMTa5+suXqWxHNDf1CPyysAosQSPJHdlLTpn:jHoIfjJ80Rl86xHTCPvsASQJHd

  Score

  10^/10

  asyncratdiscoveryevasionexecutionratredlinesectopratserver.underground-cheat.xyzdefense_evasioninfostealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Modifies security service

    evasion

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Async RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Loads dropped DLL

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2