Overview

overview

10

Static

static

Order Sheet.exe

windows7_x64

10

Order Sheet.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order Sheet.exe

  • Size

    2.6MB

  • Sample

    210506-7mzvazp7k2

  • MD5

    9bc1a47fdbd32cc92c94a9d1a84597ac

  • SHA1

    63a5eb6563208137d12dd8fa4ede2e2c98e70033

  • SHA256

    ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

  • SHA512

    559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Score
10/10
asyncratevasionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

skylucky.duckdns.org:2404

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    WvvgLAhzoLKP9nxmphWrFPmJaTYONf62

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    JakataAsync

  • host

    skylucky.duckdns.org

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    2404

  • version

    0.5.7B

aes.plain

Targets

    • Target

      Order Sheet.exe

    • Size

      2.6MB

    • MD5

      9bc1a47fdbd32cc92c94a9d1a84597ac

    • SHA1

      63a5eb6563208137d12dd8fa4ede2e2c98e70033

    • SHA256

      ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

    • SHA512

      559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

    Score
    10/10
    asyncratevasionpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Nirsoft

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

5
T1089

Bypass User Account Control

1
T1088

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks