Resubmissions

17-01-2021 18:39

210117-bjkp449bn2 10

15-01-2021 19:39

210115-bg5rm9rr5s 10

General

  • Target

    INV_FG5982.iso

  • Size

    1.8MB

  • Sample

    210117-bjkp449bn2

  • MD5

    fb0d67e5da83cd365d44d141c9e7a63c

  • SHA1

    f09cae99eccc86872b567fbae8083492c2dfd0b2

  • SHA256

    1a6a7ea1669f66f5e5249b3acabc68f4ef1fbe770f016dbbf47a2de4dc545c12

  • SHA512

    b1e0f29da05c4a4be2a640da0c44ab65331d4b0642c406267eb8ea1712a0b673caa1dd4df9f91dad5a0412aaf6018460825cf88f442fb0bf64becca3c35b5e44

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

54.36.220.171:7707

54.36.220.171:8808

54.36.220.171:5050

Mutex

Mutex_6SI8OkPnk

Attributes
  • aes_key

    DiOIHNqQSoNMUZLXqq4Zuqb1foyxPfJ1

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    last_Last

  • host

    54.36.220.171

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    Mutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    7707,8808,5050

  • version

    0.5.7B

aes.plain

Targets

    • Target

      INV_FG59.EXE

    • Size

      1.2MB

    • MD5

      97995b3f92bf70117841d386fe556497

    • SHA1

      b817858dbe60a1975adbb7fa00524a65f38077e0

    • SHA256

      02d0d2a6ee7f1e728599f0e16ff5bb3618a67fd63d0cb1f20a90ac2fe8eca670

    • SHA512

      ab4a84fcd4b1bc7f73a22f671d65cb3ba2c5c396fc88d1db23cd641467961186fbfe530288e1fb548170b7af9bffbc620ca486d86ae5629908f64241246b8399

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Modifies WinLogon for persistence

    • Async RAT payload

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Tasks