asyncrat | 2dd40beb048efe94f7a62ac83f95a5da2815e05a248ef970dff3f20a4eb8f609 | Triage

Sharing

General

Target

2dd40beb048efe94f7a62ac83f95a5da2815e05a248ef970dff3f20a4eb8f609
Size

681KB
Sample

241206-sanf1ssqcw
MD5

00e1431f15d4e7d7521adaf56d1cf9eb
SHA1

63c4a9d2327a46296e4d54c9baeb20f683ec9d87
SHA256

2dd40beb048efe94f7a62ac83f95a5da2815e05a248ef970dff3f20a4eb8f609
SHA512

c0e78ad73ffa3f4c0ab94ce0e21dd3cb0638cdbccbe5b3bcd0d841193a11fbd3485c176b010c3196b21d940dfa5b18f09f53e3dfdd28c5ba881df1637584118d
SSDEEP

12288:Cp1zzClVwk1lf0PmOPRQBsoNiDgOIu9diWKg0p2/DqJg7:Cpx8VwkiWaUOIuXZ

Score

10^/10

asyncrat redline 3333----japanese----3333 japanporn defense_evasion discovery infostealer rat

Malware Config

Extracted

Family

redline

Botnet

JAPANPORN

C2

45.134.225.35:7821

Attributes

auth_value
18d8418fe71c08942d2ddd0435edb9e5

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

3333----Japanese----3333

Mutex

Aakn1515knAakn1515kn!

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/uqaaCRiU

aes.plain

Targets

- Target
  
  2dd40beb048efe94f7a62ac83f95a5da2815e05a248ef970dff3f20a4eb8f609
- Size
  
  681KB
- MD5
  
  00e1431f15d4e7d7521adaf56d1cf9eb
- SHA1
  
  63c4a9d2327a46296e4d54c9baeb20f683ec9d87
- SHA256
  
  2dd40beb048efe94f7a62ac83f95a5da2815e05a248ef970dff3f20a4eb8f609
- SHA512
  
  c0e78ad73ffa3f4c0ab94ce0e21dd3cb0638cdbccbe5b3bcd0d841193a11fbd3485c176b010c3196b21d940dfa5b18f09f53e3dfdd28c5ba881df1637584118d
- SSDEEP
  
  12288:Cp1zzClVwk1lf0PmOPRQBsoNiDgOIu9diWKg0p2/DqJg7:Cpx8VwkiWaUOIuXZ
Score

10^/10

asyncrat redline 3333----japanese----3333 japanporn defense_evasion discovery infostealer rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- System Binary Proxy Execution: Regsvcs/Regasm
  Abuse Regasm to proxy execution of malicious code.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

System Binary Proxy Execution

Regsvcs/Regasm

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratredline3333----japanese----3333japanporndefense_evasiondiscoveryinfostealerrat

behavioral2

asyncratredline3333----japanese----3333japanporndefense_evasiondiscoveryinfostealerrat