ORDER-02188.exe

General
Target

ORDER-02188.exe

Size

403KB

Sample

210408-ehq5rvrvvj

Score
10 /10
MD5

ac170d15a4107a0fd5982449c2a8d1ee

SHA1

da5b603c30d0f238ac19e9b32e6bc622dcbfa13b

SHA256

790024e6d1d28358876403d4b30aa4ff47c162bcd91db81776185ab88d20c511

SHA512

224e25782e75936b3ccc7b134b3f9b0faa6dfb49b749420273380cb3cadbdf6cfe44eebd2ce825f9ed0734f2cde328f1f0034f7a4ccd87f8cc5dddb8ef792689

Malware Config

Extracted

Family asyncrat
Version 0.5.7B
C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:49703

chongmei33.publicvm.com:49746

185.165.153.116:2703

185.165.153.116:49703

185.165.153.116:49746

54.37.36.116:2703

54.37.36.116:49703

54.37.36.116:49746

185.244.30.92:2703

185.244.30.92:49703

185.244.30.92:49746

dongreg202020.duckdns.org:2703

dongreg202020.duckdns.org:49703

dongreg202020.duckdns.org:49746

178.33.222.241:2703

178.33.222.241:49703

178.33.222.241:49746

rahim321.duckdns.org:2703

rahim321.duckdns.org:49703

rahim321.duckdns.org:49746

79.134.225.92:2703

79.134.225.92:49703

79.134.225.92:49746

37.120.208.36:2703

37.120.208.36:49703

37.120.208.36:49746

178.33.222.243:2703

178.33.222.243:49703

178.33.222.243:49746

87.98.245.48:2703

87.98.245.48:49703

87.98.245.48:49746

Attributes
aes_key
hGScKRB0VrlS4WpFo0N7AmnZQApV4qsi
anti_detection
false
autorun
false
bdos
false
delay
FEB
host
chongmei33.publicvm.com,185.165.153.116,54.37.36.116,185.244.30.92,dongreg202020.duckdns.org,178.33.222.241,rahim321.duckdns.org,79.134.225.92,37.120.208.36,178.33.222.243,87.98.245.48
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
2703,49703,49746
version
0.5.7B
aes.plain
Targets
Target

ORDER-02188.exe

MD5

ac170d15a4107a0fd5982449c2a8d1ee

Filesize

403KB

Score
10 /10
SHA1

da5b603c30d0f238ac19e9b32e6bc622dcbfa13b

SHA256

790024e6d1d28358876403d4b30aa4ff47c162bcd91db81776185ab88d20c511

SHA512

224e25782e75936b3ccc7b134b3f9b0faa6dfb49b749420273380cb3cadbdf6cfe44eebd2ce825f9ed0734f2cde328f1f0034f7a4ccd87f8cc5dddb8ef792689

Tags

Signatures

  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Turns off Windows Defender SpyNet reporting

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • UAC bypass

    Tags

    TTPs

    Bypass User Account Control Disabling Security Tools Modify Registry
  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Async RAT payload

    Tags

  • Nirsoft

  • Executes dropped EXE

  • Drops startup file

  • Loads dropped DLL

  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                  Tasks

                  static1

                  behavioral2

                  10/10