General

  • Target

    4363463463464363463463463.exe (2).zip

  • Size

    4KB

  • Sample

    241028-xpkqwsvend

  • MD5

    a9ac952214b4aeb154d92b76095c1caa

  • SHA1

    72d1325ded97a2b9cf6cdbbc21bc70b09fd27ad1

  • SHA256

    8731222107da184b71a7a4e9e1650522b58fb26f72198ad6ec8c965bfdce0774

  • SHA512

    1eedc464bab931256eab4d299be18ce95b183cda8667c6a74d0645a174eceef3d94e0165fc6b3a984bfbce7212f5f960079e527c4959a40e3b67121ca56df414

  • SSDEEP

    96:ywb5xIqd77Lq3xThhrTeRM68120cUBiIT4ddMm/lF291KRTQ1jqt+oerwvp:TIk+ZXTeG125ObUd2mdF+KZQ1jUEOp

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

newwwwwwwwwwwwwwwwww

C2

185.16.38.41:2033

185.16.38.41:2034

185.16.38.41:2035

185.16.38.41:2022

185.16.38.41:2023

185.16.38.41:2024

185.16.38.41:20000

185.16.38.41:6666

Mutex

AsyncMutex_XXXX765643

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

Pizdun

C2

94.142.138.219:20936

Attributes
  • auth_value

    20a1f7fe6575c6613ee7cc5d3025af70

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808

Mutex

nfMlxLKxWkbD

Attributes
  • delay

    3

  • install

    true

  • install_file

    http.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

C2

185.196.9.26:6302

Targets

    • Target

      4363463463464363463463463.exe.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Modifies security service

    • Modifies visiblity of hidden/system files in Explorer

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks