General
-
Target
4363463463464363463463463.exe (2).zip
-
Size
4KB
-
Sample
241028-xpkqwsvend
-
MD5
a9ac952214b4aeb154d92b76095c1caa
-
SHA1
72d1325ded97a2b9cf6cdbbc21bc70b09fd27ad1
-
SHA256
8731222107da184b71a7a4e9e1650522b58fb26f72198ad6ec8c965bfdce0774
-
SHA512
1eedc464bab931256eab4d299be18ce95b183cda8667c6a74d0645a174eceef3d94e0165fc6b3a984bfbce7212f5f960079e527c4959a40e3b67121ca56df414
-
SSDEEP
96:ywb5xIqd77Lq3xThhrTeRM68120cUBiIT4ddMm/lF291KRTQ1jqt+oerwvp:TIk+ZXTeG125ObUd2mdF+KZQ1jUEOp
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
newwwwwwwwwwwwwwwwww
185.16.38.41:2033
185.16.38.41:2034
185.16.38.41:2035
185.16.38.41:2022
185.16.38.41:2023
185.16.38.41:2024
185.16.38.41:20000
185.16.38.41:6666
AsyncMutex_XXXX765643
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
Pizdun
94.142.138.219:20936
-
auth_value
20a1f7fe6575c6613ee7cc5d3025af70
Extracted
asyncrat
0.5.8
Default
ser.nrovn.xyz:6606
ser.nrovn.xyz:7707
ser.nrovn.xyz:8808
nfMlxLKxWkbD
-
delay
3
-
install
true
-
install_file
http.exe
-
install_folder
%AppData%
Extracted
redline
185.196.9.26:6302
Targets
-
-
Target
4363463463464363463463463.exe.bin
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
Asyncrat family
-
Modifies security service
-
Modifies visiblity of hidden/system files in Explorer
-
Phorphiex family
-
Phorphiex payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1