Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 19:56

General

  • Target

    2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe

  • Size

    3.1MB

  • MD5

    555437a35bbb26dc74ccbbff9241eef4

  • SHA1

    6913cb4ed72eb3788885d8eebedae60e9d88cdd2

  • SHA256

    562ef514baef9536a3bca3ef76d72ac1e37ae587377da7449782936619e19771

  • SHA512

    c68e5bbea164e0185042f79183e2be501528e57516b5a3825f1e4223595376f8dfa82f8c09acf3f323b861fc216f03363a2ac2849a95904abd5dbceddaf3d509

  • SSDEEP

    49152:TIAE0miU9mNKtcsS1OU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/:+EUhcsaOU/jIEeQfoR/IuOFVjUu5

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

104.219.215.160:4449

104.219.215.160:8008

Mutex

jjzxklegwjqz

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Async RAT payload 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to get system information.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2744
    • C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
      #by-unknown
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2620
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:476
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2428
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:752
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1236
        • C:\ProgramData\Synaptics\Synaptics.exe
          #by-unknown
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1152
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JUKwIFlq.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    9f4999cac510d7a2a67278591d9c98a2

    SHA1

    3e5c252be742512f80f59b252fc8430f46cac8a5

    SHA256

    39dd9b7380effc2f484167fc8c213a3f67ec849621c94c4a8144aad4f243c12b

    SHA512

    5d9f104e036c6564286ba2fde2d8eb3623fe7669ded629ddd490b998166a249e446f2955e74b0d42adb4de1091c46c93e3bb3bf5127bc94f1b2deaf1f4992eb9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    d255475004e1f5cfe30fcc07f5033a74

    SHA1

    943c08e7c0f0a3053b804728122731aa5857c4f4

    SHA256

    9fb18c80947053b5f07e512bc77a941a31a5c5ad3cbaa988b0b5de31f7c4684f

    SHA512

    819ad72df2df42a4fe5c40c00988e4778150e69f24eb2fd9334c2287659b18cfbcdd4c0118e2963afde0918547c9b01e702f685aa15c41db1b8f946eddd71d1d

  • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

    Filesize

    8B

    MD5

    cf759e4c5f14fe3eec41b87ed756cea8

    SHA1

    c27c796bb3c2fac929359563676f4ba1ffada1f5

    SHA256

    c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

    SHA512

    c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

  • \Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe

    Filesize

    74KB

    MD5

    8ce78f483110d74e5eff82f76e78a0b0

    SHA1

    ea39826209a5084b5cfbf4a89366856fd330b72d

    SHA256

    7a573f3735077c7a97662456d8c5f5001559bc6dd2356ff6e4ef92f5e8a9acad

    SHA512

    69654e33c7ccf5300b92c1e8d4e713671fb0676f01f02e93e500aa62ccd94a96aa6fc2ec9e928b1e8498c7950fa606ba2480bd63a11c379f949d247ff8dc399d

  • \Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe

    Filesize

    3.1MB

    MD5

    555437a35bbb26dc74ccbbff9241eef4

    SHA1

    6913cb4ed72eb3788885d8eebedae60e9d88cdd2

    SHA256

    562ef514baef9536a3bca3ef76d72ac1e37ae587377da7449782936619e19771

    SHA512

    c68e5bbea164e0185042f79183e2be501528e57516b5a3825f1e4223595376f8dfa82f8c09acf3f323b861fc216f03363a2ac2849a95904abd5dbceddaf3d509

  • memory/476-59-0x0000000000B30000-0x0000000000E50000-memory.dmp

    Filesize

    3.1MB

  • memory/1152-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1152-91-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/1152-124-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/1152-123-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/1152-125-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/1152-154-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2092-1-0x0000000001150000-0x0000000001470000-memory.dmp

    Filesize

    3.1MB

  • memory/2092-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

    Filesize

    4KB

  • memory/2328-24-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2328-26-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2328-22-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2328-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2328-31-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2328-18-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2328-33-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2328-21-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2328-28-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2328-17-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/2620-53-0x0000000000F70000-0x0000000000F88000-memory.dmp

    Filesize

    96KB

  • memory/2868-101-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

    Filesize

    96KB

  • memory/2872-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2952-4-0x0000000070F11000-0x0000000070F12000-memory.dmp

    Filesize

    4KB

  • memory/2952-5-0x0000000070F10000-0x00000000714BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-6-0x0000000070F10000-0x00000000714BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-7-0x0000000070F10000-0x00000000714BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-8-0x0000000070F10000-0x00000000714BB000-memory.dmp

    Filesize

    5.7MB