Resubmissions

06/01/2022, 10:55

220106-m1b8sabbf7 10

06/01/2022, 08:02

220106-jw54hsbah5 10

General

  • Target

    d651267983ddfaf1e86e4cf0a90c0d79.exe

  • Size

    553KB

  • Sample

    220106-jw54hsbah5

  • MD5

    d651267983ddfaf1e86e4cf0a90c0d79

  • SHA1

    ea986acc881d0a7d50050a5fb1d31eefa0fbfb0a

  • SHA256

    597fe94395dcd3432d4ddf6c26524a5554c8dbcc48573936203b48df42ef5e02

  • SHA512

    e25a435797f26c7966f790bf7d38ae0a6d725739a97d83a66e0fc50884a85c8078df7f08bf073538d654df4b5f33402a9a2e2071b2315f3e3312627df6551eae

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

79.134.225.72:2233

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    true

  • install_file

    Asyn.exe

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1982610890:AAFCcNp1Tl28ILhhdWKR-lR4Xpa_V1kwvCk/sendMessage?chat_id=860277004

Extracted

Family

warzonerat

C2

23.105.131.207:1024

Targets

    • Target

      d651267983ddfaf1e86e4cf0a90c0d79.exe

    • Size

      553KB

    • MD5

      d651267983ddfaf1e86e4cf0a90c0d79

    • SHA1

      ea986acc881d0a7d50050a5fb1d31eefa0fbfb0a

    • SHA256

      597fe94395dcd3432d4ddf6c26524a5554c8dbcc48573936203b48df42ef5e02

    • SHA512

      e25a435797f26c7966f790bf7d38ae0a6d725739a97d83a66e0fc50884a85c8078df7f08bf073538d654df4b5f33402a9a2e2071b2315f3e3312627df6551eae

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Async RAT payload

    • Warzone RAT Payload

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks