Overview

overview

10

Static

static

CLIENT_C.EXE

windows7_x64

10

CLIENT_C.EXE

windows10_x64

10

NON_DISC.EXE

windows7_x64

10

NON_DISC.EXE

windows10_x64

10

TENDER_N.EXE

windows7_x64

10

TENDER_N.EXE

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ELECTRIC LINE DOWNHOLE LOGGING SERVICES FOR PC(T)SB PRODUCTION WELLS.img

  • Size

    3.8MB

  • Sample

    210105-e8tjg1jd7x

  • MD5

    843d30edf757bf0c3b90ff94c1783322

  • SHA1

    b40b32635a45f3a86cc9de1b4c983c854e5dbe8f

  • SHA256

    c5d1c57f289c7f9f692ad7971b08ec1392082eda028916ff33c27da1c8c3326b

  • SHA512

    82b4fdb76e22a3f08d923915b8a0cfcbfbed7f96a668ca78c4deec53657fdf8c9d3039405db42bf569c947bcbd666db2e387001e797e3ca695f4174528c72cf1

Score
10/10
asyncratazorultrevengeratnyancatrevengediscoveryevasioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

azorult

C2

http://eurodata1988.it/asy/PL341/index.php

Extracted

Family

asyncrat

Version

0.5.7B

C2

hpdndbnb.duckdns.org:3040

hpdndbnb.duckdns.org:2020

hpdndbnb.duckdns.org:4040

gpmaw.duckdns.org:3040

gpmaw.duckdns.org:2020

gpmaw.duckdns.org:4040
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    8pSblfEIKGwvU0W68bmEKGa3zB2hqd4t

  • anti_detection

    false

  • autorun

    true

  • bdos

    false

  • delay

    Default

  • host

    hpdndbnb.duckdns.org,gpmaw.duckdns.org

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    3040,2020,4040

  • version

    0.5.7B

aes.plain

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

10eef43648e54083

Targets

    • Target

      CLIENT_C.EXE

    • Size

      1.6MB

    • MD5

      9ca10ebf8150fc630b901be36a1bec85

    • SHA1

      f1cdd2674307a97af387016cb6f42a1419c403a6

    • SHA256

      49024e33c5bc92bb5751ba5d1c00fcfe16f7ab7663550c19a94fdb9d841c8879

    • SHA512

      521656149dd6498d9050640c7d2f1da627e788228527e8d6796493a539ab3eb3cfc6779c2237dc5cab4343438725cbe78d3b8d6376ce3c952eb07eb36a305c2c

    Score
    10/10
    azorultdiscoveryevasioninfostealerpersistencespywaretrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      NON_DISC.EXE

    • Size

      948KB

    • MD5

      5a26073186d5cd797817ab71676082c1

    • SHA1

      eba609ba96514ea94b9bf91f24ecf4b450c3faaf

    • SHA256

      52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

    • SHA512

      79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

    Score
    10/10
    asyncratevasionpersistenceratspywaretrojanazorultdiscoveryinfostealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      TENDER_N.EXE

    • Size

      742KB

    • MD5

      868ca3e861260b5080c62eda3880c425

    • SHA1

      8d1dd70950daa651261a429baa0f63332bc690ca

    • SHA256

      c125ad338e09169f93f9ba82a8eb533619ae2087dd2a84563da1c6a3ef68e3d1

    • SHA512

      5ac65a3230f465a2fccad3101261500a2fe923d6ee67990e235b255a8f85529250a93fdbac5a304c93207605f8186bbd4500fb8febb6ffd0e8a8e44b159b19af

    Score
    10/10
    revengeratnyancatrevengeevasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Drops startup file

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

3
T1004

Modify Existing Service

3
T1031

Registry Run Keys / Startup Folder

3
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

18
T1112

Disabling Security Tools

12
T1089

Credential Access

Credentials in Files

8
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

8
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Tasks