General

  • Target

    IMAGE00037.exe

  • Size

    1.8MB

  • Sample

    210727-ft4s27s4vn

  • MD5

    d90d38f2dc39b8b19368a55a44841fa9

  • SHA1

    971a1b851d914a17b97cdc95c17fc7d3f962c009

  • SHA256

    3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073

  • SHA512

    ce1bc4e2e2269a3782327958f357838e1e161871c7d0b95b55ba4b17dbe762c46ba98b8dd91c35f57622f8e7512e64a385d3c2a3cbcc19fdffe94d0d3658ac5e

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

podzeye.duckdns.org:4422

podzeye.duckdns.org:4442

podzeye.duckdns.org:4433

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    KqmHiqpKk2CuoxPCgGYf22Qi6oqCTMfJ

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    podzeye.duckdns.org

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    4422,4442,4433

  • version

    0.5.7B

aes.plain

Extracted

Family

formbook

Version

4.1

C2

http://www.hometowncashbuyersgroup.com/kkt/

Decoy

inspirafutebol.com

customgiftshouston.com

mycreativelending.com

psplaystore.com

newlivingsolutionshop.com

dechefamsterdam.com

servicingl0ans.com

atsdholdings.com

manifestarz.com

sequenceanalytica.com

gethealthcaresmart.com

theartofsurprises.com

pirateequitypatrick.com

alliance-ce.com

wingrushusa.com

funtimespheres.com

solevux.com

antimasathya.com

profitexcavator.com

lankeboxshop.com

Targets

    • Target

      IMAGE00037.exe

    • Size

      1.8MB

    • MD5

      d90d38f2dc39b8b19368a55a44841fa9

    • SHA1

      971a1b851d914a17b97cdc95c17fc7d3f962c009

    • SHA256

      3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073

    • SHA512

      ce1bc4e2e2269a3782327958f357838e1e161871c7d0b95b55ba4b17dbe762c46ba98b8dd91c35f57622f8e7512e64a385d3c2a3cbcc19fdffe94d0d3658ac5e

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    • Async RAT payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Formbook Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks