General

  • Target

    Zakaz na pokupku 21-10-2021.doc

  • Size

    4KB

  • Sample

    211021-wkp95sbeap

  • MD5

    e205f10f887754bd65281f14c25c0f21

  • SHA1

    b356aab56ba5eb993326e4ede7e254e7181aa165

  • SHA256

    5d77fcbee204c6b9fea6ec4bda5216714e2e46f4247f673956e64e36a9c3424d

  • SHA512

    cd43d1cb4193ef5aa4f77a290e186a4e87d55f42a61b502cbc2beeb2044613855e82553effca9f6bcda5cd4174c8c0ce6989774530c3b68c7a612ba26c2ef0a2

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

185.157.160.136:1973

Mutex

df4Rtg34dFjwr7ujp3

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    38

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Targets

    • Target

      Zakaz na pokupku 21-10-2021.doc

    • Size

      4KB

    • MD5

      e205f10f887754bd65281f14c25c0f21

    • SHA1

      b356aab56ba5eb993326e4ede7e254e7181aa165

    • SHA256

      5d77fcbee204c6b9fea6ec4bda5216714e2e46f4247f673956e64e36a9c3424d

    • SHA512

      cd43d1cb4193ef5aa4f77a290e186a4e87d55f42a61b502cbc2beeb2044613855e82553effca9f6bcda5cd4174c8c0ce6989774530c3b68c7a612ba26c2ef0a2

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • BitRAT Payload

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks