Overview

overview

10

Static

static

3

CryptoFactory.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CryptoFactory.exe

  • Size

    6.0MB

  • Sample

    240810-vdsk9ayckk

  • MD5

    606d9403c952670ed0566c1d1bce5dc8

  • SHA1

    179b8c773a470d6e273808e8b25482810e90efcd

  • SHA256

    dffa9b80560b0d59cfce787ef033857edc141646a1496b0cf50a00b1a5b03078

  • SHA512

    ecbe8bf0eda38d1cb1cdecf03be58edb1f34b7cb3a17d60d98cabbc7b55429a1b3a69fbca380388f8e8f9de82620047c423464df8190dcc2211f795170c36299

  • SSDEEP

    98304:H1GZtGOYln80EisK9yJND14r0Uhmkl1qa1Egu2Wh/X9Tm0OXcPwQESF/IKc6:+FqnPEZZzeJmkl1qHd2i/9TjElH8QKc

Score
10/10
asyncratredlinedefaultdiamotrixdefense_evasiondiscoveryinfostealerpersistencepyinstallerransomwarerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808
Mutex

QaF6X2cpj8fc

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

C2

176.111.174.140:1912

Extracted

Path

C:\HdbtqCuyh.README.txt

Ransom Note
[Your Files Have Been Encrypted] Hello, Your files have been encrypted with strong encryption algorithms. To regain access to your data, you need to follow the instructions below: Do Not Attempt to Recover Your Files: Any attempt to recover your files using third-party tools will result in permanent data loss. Pay the Ransom: You must pay a ransom of 1 Bitcoin to receive the decryption key. Payment must be made within 72 hours to avoid data loss. Contact Us on Telegram: To get the payment details and further instructions, contact us via Telegram at @BIBIL_0DAY. Decryption Key: After payment is confirmed, we will send you the decryption key and instructions on how to unlock your files. Warning: If you do not contact us or pay within the given timeframe, your data will be permanently lost. Do not attempt to contact us via any other means. We will not respond. Your encrypted files are your responsibility. Telegram Username: @BIBIL_0DAY

Targets

    • Target

      CryptoFactory.exe

    • Size

      6.0MB

    • MD5

      606d9403c952670ed0566c1d1bce5dc8

    • SHA1

      179b8c773a470d6e273808e8b25482810e90efcd

    • SHA256

      dffa9b80560b0d59cfce787ef033857edc141646a1496b0cf50a00b1a5b03078

    • SHA512

      ecbe8bf0eda38d1cb1cdecf03be58edb1f34b7cb3a17d60d98cabbc7b55429a1b3a69fbca380388f8e8f9de82620047c423464df8190dcc2211f795170c36299

    • SSDEEP

      98304:H1GZtGOYln80EisK9yJND14r0Uhmkl1qa1Egu2Wh/X9Tm0OXcPwQESF/IKc6:+FqnPEZZzeJmkl1qHd2i/9TjElH8QKc

    Score
    10/10
    asyncratredlinedefaultdiamotrixdefense_evasiondiscoveryinfostealerpersistencepyinstallerransomwarerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Async RAT payload

      rat

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks