asyncrat | cf0f7d178b74a724d306e95469e7e3a8a8974c69a659a365ab8f1c129a69ec10 | Triage

Submit
Reports

Overview

overview

Static

static

Curriculo ...).xlsm

windows7_x64

Curriculo ...).xlsm

windows10_x64

Sharing

General

Target

Curriculo Laura Sperandio (ps).xlsm
Size

23KB
Sample

201224-zwgdeqncge
MD5

dbad290342a0f6cd2554a4d7b06ff400
SHA1

ea9e6a18734a7a389eaa66eace35c84ede9152c3
SHA256

cf0f7d178b74a724d306e95469e7e3a8a8974c69a659a365ab8f1c129a69ec10
SHA512

a26c41a262c375fce4369b51ee19283504e7aeed975416551f193b00313a083a26a034e69bcff59b6719b006e0dfb0ec4fb295ba6426a12a5d901c5c1810dc63

Score

10^/10

asyncrat persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

Curriculo Laura Sperandio (ps).xlsm

Resource

win7v20201028

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Curriculo Laura Sperandio (ps).xlsm

Resource

win10v20201028

asyncrat persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/seveca-emilia/onemoreslave/downloads/sz.exe

Targets

- Target
  
  Curriculo Laura Sperandio (ps).xlsm
- Size
  
  23KB
- MD5
  
  dbad290342a0f6cd2554a4d7b06ff400
- SHA1
  
  ea9e6a18734a7a389eaa66eace35c84ede9152c3
- SHA256
  
  cf0f7d178b74a724d306e95469e7e3a8a8974c69a659a365ab8f1c129a69ec10
- SHA512
  
  a26c41a262c375fce4369b51ee19283504e7aeed975416551f193b00313a083a26a034e69bcff59b6719b006e0dfb0ec4fb295ba6426a12a5d901c5c1810dc63
Score

10^/10

asyncrat persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Async RAT payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

asyncratpersistencerat

© 2018-2024

Terms | Privacy