Overview

overview

10

Static

static

5

RFQ_TB2837...25.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b5b671cb9f8d33234668725f922c1910ffa33dadc671545e9fa709e07de2302

  • Size

    918KB

  • Sample

    250407-c2nm4ayjw9

  • MD5

    cea96e9e6b56352a2c57e5c245af34be

  • SHA1

    3fce07cea954e17818567a909334272da285ea1e

  • SHA256

    8b5b671cb9f8d33234668725f922c1910ffa33dadc671545e9fa709e07de2302

  • SHA512

    5cc9f57b1ca78814adf3cf40ca7a47d7a1d1243a5e44061c1dc1ad0064556538f01cca4866778af84a9ad58e1d5acccb84639b0968ce0b8e813fe5178f6e2c5f

  • SSDEEP

    24576:zuxKLmnf8Iq1Cl899GfAEm37o71EF41f8pvmDHjB0PIpeVjlbKC:KxTEIE2899GfAEQj21f8pvm7oIpeP

Score
10/10
asyncratredlinexwormdefaultsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

204.10.161.147:7081

Mutex

XoFHv1TT4hWErxRo

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

204.10.161.147:5009

Mutex

ihdiqhrlparelebtcw

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      RFQ_TB2837V_MATERIALS&TECH-SPEC-OP6736-2025.exe

    • Size

      1.4MB

    • MD5

      90dc7c1dea8a6e2c03fedc9db60a1b5a

    • SHA1

      1add1bc885460dd045c7241e3385af2aa1d2c521

    • SHA256

      a52110ba312a9500399c954fdb31a54288e2ab7b1f44b77adcb6864575460d8f

    • SHA512

      834d34798067448ba3d5683625eb0c01cd170a6decbfcbccf470795af45cade6eb1924a3929e64bf7d5c60eab53dc8694d66cce1e405e770e812d257266ad8a4

    • SSDEEP

      24576:8u6J33O0c+JY5UZ+XC0kGso6Fa7KOf3sGJtaRd/7zXgQKFKncbTEPVbxxgWY:mu0c++OCvkGs9Fa7KUEDjLkRbTAVbxhY

    Score
    10/10
    asyncratredlinexwormdefaultsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks