General

  • Target

    bd8ae1109db967293859c064576cd3446034d03088b85781c0b7b46ef0ba29d5

  • Size

    149KB

  • Sample

    210113-2mdmw57cxj

  • MD5

    67751a297e6183d8677b34fa47457883

  • SHA1

    def2c607dfb218cb12159871631052556d972286

  • SHA256

    bd8ae1109db967293859c064576cd3446034d03088b85781c0b7b46ef0ba29d5

  • SHA512

    62013becbacd92cf399beb11761bb9a24c0b34634068a7201bfd18b0375bb0ed15d81a6d1d2a340eac26d5a73c3a8cc67a3a535759c7ee68be1f60b179c4f2e9

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://azulviagens.online/certificate/quasar.mp3

Extracted

Family

asyncrat

Version

0.5.7B

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

minharola.hopto.org:6606

minharola.hopto.org:7707

minharola.hopto.org:8808

cdtpitbull.hopto.org:6606

cdtpitbull.hopto.org:7707

cdtpitbull.hopto.org:8808

cudaegua.ddns.net:6606

cudaegua.ddns.net:7707

cudaegua.ddns.net:8808

Mutex

a377d1b1c0538833035211f4083d00fecc414dab

Attributes
  • aes_key

    uHP7c7Cosh571ds05um4kYDDE2FWQ6fx

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    NEW-SPAM

  • host

    127.0.0.1,minharola.hopto.org,cdtpitbull.hopto.org,cudaegua.ddns.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    a377d1b1c0538833035211f4083d00fecc414dab

  • pastebin_config

    null

  • port

    6606,7707,8808

  • version

    0.5.7B

aes.plain

Targets

    • Target

      bd8ae1109db967293859c064576cd3446034d03088b85781c0b7b46ef0ba29d5

    • Size

      149KB

    • MD5

      67751a297e6183d8677b34fa47457883

    • SHA1

      def2c607dfb218cb12159871631052556d972286

    • SHA256

      bd8ae1109db967293859c064576cd3446034d03088b85781c0b7b46ef0ba29d5

    • SHA512

      62013becbacd92cf399beb11761bb9a24c0b34634068a7201bfd18b0375bb0ed15d81a6d1d2a340eac26d5a73c3a8cc67a3a535759c7ee68be1f60b179c4f2e9

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Tasks