Analysis
-
max time kernel
61s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03-01-2025 03:23
General
-
Target
Dork_Searcher_v3/Dork Searcher v3 tool.exe
-
Size
928KB
-
MD5
1a4c4d1cc1267908302913a678102cff
-
SHA1
1dd2d37f67a461afe414b8339d68ce98964cc962
-
SHA256
045dc9a19e22a98167614ddccf210219576fe440d320144fd51a73fb38360e7f
-
SHA512
c3c9433b3cfe8df34b6d56b1252dad8c185430a12ae744cb71a8493a420d135a77f14682b71827eeb43c8f4c7ad3a0d96a69c94b5ba4144c0881f99df176ae3e
-
SSDEEP
12288:sMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VoKcXrCf/Q6qj:snsJ39LyjbJkQFMhmC+6GD90CfDW
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
-
Stormkitty family
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Async RAT payload 1 IoCs
-
A potential corporate email address has been identified in the URL: WorldWindProResultsDate2025010332345AMSystemWindows10Pro64BitUsernameAdminCompNameHGNBWBGWLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.1.63ExternalIP181.215.176.83BSSID16bf38fd2615DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 16 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dork_Searcher_v3\Dork Searcher v3 tool.exe"C:\Users\Admin\AppData\Local\Temp\Dork_Searcher_v3\Dork Searcher v3 tool.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dork_Searcher_v3\._cache_Dork Searcher v3 tool.exe"C:\Users\Admin\AppData\Local\Temp\Dork_Searcher_v3\._cache_Dork Searcher v3 tool.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dork_Searcher_v3\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\Dork_Searcher_v3\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
928KB
MD51a4c4d1cc1267908302913a678102cff
SHA11dd2d37f67a461afe414b8339d68ce98964cc962
SHA256045dc9a19e22a98167614ddccf210219576fe440d320144fd51a73fb38360e7f
SHA512c3c9433b3cfe8df34b6d56b1252dad8c185430a12ae744cb71a8493a420d135a77f14682b71827eeb43c8f4c7ad3a0d96a69c94b5ba4144c0881f99df176ae3e
-
Filesize
23KB
MD58bdebee7e7719e92b36fb3f58a75de78
SHA1193a050b9e58e5da83b842215f038b57cc6c3ca3
SHA256df65a4b9b012d6a458120cc33442de113407e68a90875d7d68f8bcd01dee6866
SHA512180620ad7e24f028dffdcc247b25105da73fda71037abe18547788da776c6fad9a9e50c2ec3d80de2e9afb1b5e5f868b0ec0d9d5b6597fb1251fe33a238848ab
-
Filesize
175KB
MD5590cc9e98f862329ffae1ebbdddcce10
SHA1808d060d8294d5ffbc6370c6a63a2992c6fe243b
SHA256127dfda8c9780b2d2a83781e3c291a7813b3b858bce1ac328ea4ac3af57a610a
SHA5129e6881a16b3e793af4856f75e613d4cf982b045ef323e954ef0048e342df12a8a92888797a7c6c818f2391531ceee670cacc651d58f5a0ee558ae6e9fd315346
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
5.0MB
MD519b8ad57bdab8ad0e83915a3b20183c1
SHA162bdf09a73fa09296118d77ef366642233f9db6f
SHA2568a3f119a5dac3b2cc21b6d635e750a526620f284aec290a74e1712a579a3d614
SHA512d55a389f359504ecd8d0b4cd1772ea89ab26433ba23e1c399dc4ecc55dd67d033f90d27314e02e9f6b5a441c6a3e7edf9b3b481e8d101536ac0c2fa90f99a267
-
Filesize
114KB
MD50163d73ac6c04817a0bed83c3564b99f
SHA1784001e8d0e7ab6a09202c2a1094f371f7d017cb
SHA2565114af822abc2b0f2aabb7565919164c9babf884e34c21095213dbe6a71511ea
SHA51247051ee935be9e9d4457447c7fe5df06a5b0c5ef55d2c757d3dfa179b6049ae79732b1552e812febe5ae41a076cb29d8a809ae9b168afc7eb4c9eadfadcf5d9b
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
541B
MD5b5668ae75bac27b6908b1746c43948d5
SHA1f804fbb55066def4611299b90098209c855c124f
SHA2567d9733a9934c8c07980268febde90c0dc9f3f68bbf00888d9f21edbd27511a3d
SHA5121ef209135757d8dee4ac7a319c57a5087f89bbb844027a8d2bf369d38be6878d4ff543418b55cfdc844f4063d521cb282cc8290e68b4e181cbfd3531e8abc2af
-
Filesize
756B
MD5c9f63fa42c2b2291014d70cf75c381f0
SHA1348b7a5fe77af2b24e97bb907c79703092c72de9
SHA25636ae9026721bceb650a844bb24453747016733d86c827535175e2e4884dcb7d1
SHA512ac8a250b3610563c3731344552736949b110409470a4a53ce8ac3c192b60852cf984d1c65e21c46414f17880564e8aa1f7d4643fe2c833c5713a6654ac392df9
-
Filesize
744B
MD5e66a8f4e96752b176ae99abbda90642f
SHA116bb45af250c109711163abb878445df5b269257
SHA2564d6e344ece53f6faf78ece8702d54a24986cfbc6e68350dd3587173926a324ba
SHA51226d2ad8b44ad58bab31580b8017e9138a354cad28d3a8031a062e34856a7c5717614320ddc0ccfb873eadb4bc62810bce86ea51494db0958b35104bd188e4503
-
Filesize
25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
Filesize
756B
MD5db9daf7066ed9a270327de2106c5e799
SHA101f86b927cd99f84bcb28aa1d3783077c55ed748
SHA2569596307505dc55a25af9f8b5dcf590424e54103d31df203ee365aa69b7b888de
SHA512c9cd23fa6b90036086f9a340354d6f89ded772096398bc793f4f038d8b273768ddb3859623d6685fef260ee50850b9d30a3afd0ecf4bff072dc5f79638b924ba
-
Filesize
24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
Filesize
3KB
MD52856f34cac41c1f830531f278bc427d7
SHA10533abcd52b8d2cb6fa5bd3d8863888457850a56
SHA2567b29f80753fe01a78dd95135db8aac00240b95e3a9b2c5769b758fe3a6f5a31d
SHA512857f672a36e9db627291a4a1330a846aaea03311364552727fa528ca185793961797378b38e40c079e7fb24b3aa9e69b51806f760ad87daf2e8578e7d233420e
-
Filesize
23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
Filesize
402B
MD5ecf88f261853fe08d58e2e903220da14
SHA1f72807a9e081906654ae196605e681d5938a2e6c
SHA256cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA51282c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b
-
Filesize
282B
MD53a37312509712d4e12d27240137ff377
SHA130ced927e23b584725cf16351394175a6d2a9577
SHA256b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05
-
Filesize
190B
MD5d48fce44e0f298e5db52fd5894502727
SHA1fce1e65756138a3ca4eaaf8f7642867205b44897
SHA256231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8
SHA512a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a
-
Filesize
190B
MD587a524a2f34307c674dba10708585a5e
SHA1e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201
SHA256d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9
SHA5127cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38
-
Filesize
504B
MD529eae335b77f438e05594d86a6ca22ff
SHA1d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA25688856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA5125d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17
-
Filesize
128B
MD5676a38ce0157b4332b13606fc0f93ffd
SHA189bee12c1f6421ec4162833e219b39d71d47dbda
SHA256ffeeec110735c10cbd52f9d60ece0521a403cc06053219c175aa93fa2b9120d8
SHA5129f1a684398c5d7f5f7cd3aa2758da73e4945d33768e8f7efce0c2c823f3cdc2e78305a6c030d523b3cf31136822d3a9dc5cefc771b3d025fd2309c7ab22dc07d
-
Filesize
4KB
MD540f699bed8e1ba32e0cdc9e1f5ccdc9e
SHA116e45bd9c9fa3674844f4557f4e7a2ff24c9be63
SHA2565fe8de901fc110940e2844710409a26950cd78b7c36ab4fd5f51b1d4da9bfd92
SHA5122a7e5bcacb635be023c5deec1bb2b16620c762cc302491a7f3847485acfbb15d47578cd8f3592695b259737bcec6d81a0a2a44d0202441131e9280dd43b05858
-
Filesize
29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
168B
MD59f11565dd11db9fb676140e888f22313
SHA135ae1ce345de569db59b52ed9aee5d83fea37635
SHA256bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d
SHA512d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
200KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
952KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
952KB
-
Filesize
4KB