Overview

overview

10

Static

static

AWB#530532...df.exe

windows7_x64

10

AWB#530532...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e3ec61e0c6ac38b3d6d1371fa70634fa7f1b9bbefc7b2980d875982ba852ec63

  • Size

    240KB

  • Sample

    220521-cd26ksdfh8

  • MD5

    5cc5eb847777a649da39a1b452be18eb

  • SHA1

    d150248fe74342c94b69fb9d1a19731cadb68522

  • SHA256

    e3ec61e0c6ac38b3d6d1371fa70634fa7f1b9bbefc7b2980d875982ba852ec63

  • SHA512

    cb9e638bb28d3e84bb1f5e1a2db5f42e6b60ca0f4ffc403cfe55fedb0716677dfe199309d3ffed3554c5cd037f7de5f865f9991f5bd5cb5d6d28944116d76568

Score
10/10
asyncratmay11thupcoreentityratrezer0

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MAY11thUP

Mutex

chizzy25@!7^UP

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/HKYwiN9V

aes.plain

Targets

    • Target

      AWB#5305323204643,pdf.exe

    • Size

      180KB

    • MD5

      9be5fc19a414a94352b127af2424ac86

    • SHA1

      8ae697c2bce8190f4bc324e0553ca111dd9bb8a6

    • SHA256

      fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c

    • SHA512

      2486d1945fcf5491db7ee9938a327fcfb1f88d98be52d4c7905a79821cc3188e030a44892364c2c6d38c6154dfef98f0423f75a8078c004183e192706889705d

    Score
    10/10
    asyncratmay11thupcoreentityratrezer0

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Async RAT payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks