General

  • Target

    8ad6032daa80a5adaa61010895ed78ce.exe

  • Size

    431KB

  • Sample

    210726-ccwnq83l7e

  • MD5

    8ad6032daa80a5adaa61010895ed78ce

  • SHA1

    95e3899672ba3f7352806a6b663959c888911069

  • SHA256

    6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5

  • SHA512

    61c9723ef7458a8da34913a9e80a440d9094c52dde2ac13bc29c6f7c4c7a92903449917c1d64ae07b56102817f2a80e6d754e2195a701748d9f8a12f85043469

Malware Config

Targets

    • Target

      8ad6032daa80a5adaa61010895ed78ce.exe

    • Size

      431KB

    • MD5

      8ad6032daa80a5adaa61010895ed78ce

    • SHA1

      95e3899672ba3f7352806a6b663959c888911069

    • SHA256

      6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5

    • SHA512

      61c9723ef7458a8da34913a9e80a440d9094c52dde2ac13bc29c6f7c4c7a92903449917c1d64ae07b56102817f2a80e6d754e2195a701748d9f8a12f85043469

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    • Async RAT payload

    • Blocklisted process makes network request

    • Modifies Windows Firewall

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks