Overview

overview

10

Static

static

4f689ad254...4e.exe

windows7_x64

10

4f689ad254...4e.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4f689ad2542e385c696d18df256e474e.exe

  • Size

    834KB

  • Sample

    220122-1argnsdbh6

  • MD5

    4f689ad2542e385c696d18df256e474e

  • SHA1

    719a2ff49e7f8d5ac4a7b0f7dc2256f8ed45a541

  • SHA256

    e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae

  • SHA512

    ae60db8a63c035b2ff322f705b05ce358cac980b4bae750f4a29b8bdee52d89a7bf8c84024add4aa4c65ef0cc71e5b03081b69095599648b430bfb8f1299fb35

Score
10/10
asyncratdefaultevasionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

5.230.72.132:6606

5.230.72.132:7707

5.230.72.132:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Targets

    • Target

      4f689ad2542e385c696d18df256e474e.exe

    • Size

      834KB

    • MD5

      4f689ad2542e385c696d18df256e474e

    • SHA1

      719a2ff49e7f8d5ac4a7b0f7dc2256f8ed45a541

    • SHA256

      e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae

    • SHA512

      ae60db8a63c035b2ff322f705b05ce358cac980b4bae750f4a29b8bdee52d89a7bf8c84024add4aa4c65ef0cc71e5b03081b69095599648b430bfb8f1299fb35

    Score
    10/10
    asyncratdefaultevasionpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Windows security bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks