Resubmissions

07-10-2024 11:33

241007-npcwlstanp 10

07-10-2024 06:29

241007-g8wz9s1bnl 10

General

  • Target

    SecuriteInfo.com.Trojan.Siggen29.42959.20394.9110.exe

  • Size

    589KB

  • Sample

    241007-npcwlstanp

  • MD5

    28a7627d5eb7367ce48656c15dd98188

  • SHA1

    bf74de6c78c4f1b6977af3ec0abe4c49afbf16ee

  • SHA256

    a32eeb768e9e3963b250e4fedc495c0aa442022e2fe7a0f84b89d7812e687e16

  • SHA512

    46bdc7043c3d1821e1f71cf87fcb93fae3cefbe392a060c72c6ac33df2dc353f705fb79e47e20de6e4c7b4684b549d4ef20e83ffd758be8730d176f031c7f3f3

  • SSDEEP

    12288:qAH5qwTvYqtp4VFZgdHgo2anVmndXlMDc3cUAmNOeY632lTSh3soF:qAXxtqmdAxanIdXOS5NOLM

Malware Config

Extracted

Family

redline

Botnet

Diamotrix

C2

176.111.174.140:1912

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

oTA1Qk0GTnww

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      SecuriteInfo.com.Trojan.Siggen29.42959.20394.9110.exe

    • Size

      589KB

    • MD5

      28a7627d5eb7367ce48656c15dd98188

    • SHA1

      bf74de6c78c4f1b6977af3ec0abe4c49afbf16ee

    • SHA256

      a32eeb768e9e3963b250e4fedc495c0aa442022e2fe7a0f84b89d7812e687e16

    • SHA512

      46bdc7043c3d1821e1f71cf87fcb93fae3cefbe392a060c72c6ac33df2dc353f705fb79e47e20de6e4c7b4684b549d4ef20e83ffd758be8730d176f031c7f3f3

    • SSDEEP

      12288:qAH5qwTvYqtp4VFZgdHgo2anVmndXlMDc3cUAmNOeY632lTSh3soF:qAXxtqmdAxanIdXOS5NOLM

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Async RAT payload

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks