2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe

General
Target

2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe

Size

6MB

Sample

220517-qbgzhscbf5

Score
10 /10
MD5

5f9e61796a21e65f9a03f92ee6a8f6d8

SHA1

d6032fd04db0fbb6195b6e8d31491a3fc289f1ce

SHA256

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba

SHA512

402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://supportnimbuzz.hexat.com/3/Att.jpg

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/934436223181787207/937137622730559579/Att.jpg

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/935877066816114718/938236541149515816/Att.jpg

Extracted

Family njrat
Version 0.7NC
Botnet NYAN CAT
C2

ameen.myftp.biz:7788

Attributes
reg_key
76420c32f4f
splitter
@!#&^%$

Extracted

Family njrat
Version 0.7.3
Botnet Lime
C2

worm.access.ly:7778

Attributes
reg_key
Adobe.exe
splitter
12345

Extracted

Family asyncrat
Version 0.5.7B
Botnet Default
C2

newworld.mypsx.net:8877

Attributes
delay
3
install
false
install_file
rdpclip.exe
install_folder
%AppData%
aes.plain
Targets
Target

2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe

MD5

5f9e61796a21e65f9a03f92ee6a8f6d8

Filesize

6MB

Score
10/10
SHA1

d6032fd04db0fbb6195b6e8d31491a3fc289f1ce

SHA256

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba

SHA512

402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb

Tags

Signatures

  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

    Tags

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    Description

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    Tags

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    Description

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    Tags

  • Async RAT payload

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        8/10

                        behavioral1

                        10/10