General

  • Target

    Invoices_Paid.exe

  • Size

    206KB

  • Sample

    220125-tfydvaadfp

  • MD5

    8f5bdc03c40f3b229a6b701382d752cc

  • SHA1

    f33ffdb1be12ed5ba8485a0947a4ac8aec1ef1ac

  • SHA256

    3372f25780aedadbffd5d74b9b8f1d6464f97d2083288cce50738fe3a51cb582

  • SHA512

    f16b97af5437b0513adb551f4bb6a56d8db9c8e1a1431acd93eff5a7a828fc46ea1f7747ed305970a173121a0731feee2bce8286189e1fc1b23638d041fff661

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.210.214.230:6606

Mutex

AbggsyDCDCDAncMuAtexee_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_file

    asyn.exe

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Targets

    • Target

      Invoices_Paid.exe

    • Size

      206KB

    • MD5

      8f5bdc03c40f3b229a6b701382d752cc

    • SHA1

      f33ffdb1be12ed5ba8485a0947a4ac8aec1ef1ac

    • SHA256

      3372f25780aedadbffd5d74b9b8f1d6464f97d2083288cce50738fe3a51cb582

    • SHA512

      f16b97af5437b0513adb551f4bb6a56d8db9c8e1a1431acd93eff5a7a828fc46ea1f7747ed305970a173121a0731feee2bce8286189e1fc1b23638d041fff661

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    • Async RAT payload

    • Executes dropped EXE

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks