Resubmissions
07-09-2024 11:17
240907-ndvx2s1gra 1007-09-2024 10:21
240907-mdzqkayhpb 1007-09-2024 10:21
240907-mdq4esyfnl 1005-09-2024 22:04
240905-1y2bsa1clp 1005-09-2024 21:37
240905-1gl6ja1bjb 1016-08-2024 00:38
240816-azcrpsvdqe 1016-08-2024 00:13
240816-ah5fdsyapm 1016-08-2024 00:04
240816-ac4a5sxglk 1015-08-2024 01:57
240815-cc95ssydlb 10General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
240816-azcrpsvdqe
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Password: )NYyffR0 1 - Email To:
[email protected]
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1604
127.0.0.1:22253
eu-central-7075.packetriot.net:6606
eu-central-7075.packetriot.net:7707
eu-central-7075.packetriot.net:8808
eu-central-7075.packetriot.net:1604
eu-central-7075.packetriot.net:22253
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Extracted
redline
185.215.113.9:12617
Targets
-
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3