General

  • Target

    5af88b2d9a192241b2b0e52aed733bdeb190a4af07eacc6940520f7441c04953

  • Size

    58KB

  • Sample

    220521-plcl4sfee3

  • MD5

    34917314f6eed1ac3c5156f3bad50b70

  • SHA1

    bb74a3244aec643be2e9e88c09c074f6ec198222

  • SHA256

    5af88b2d9a192241b2b0e52aed733bdeb190a4af07eacc6940520f7441c04953

  • SHA512

    3ba80f6d199071cac9b4285c886b9fd868a5496dcf900a83579b8d9595b52fd6a54512ef3bcc0327c9628012a62d6d9bf7a941028523b8c10a63dee658d09ed9

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

GOD'S MERCY

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/reQxa5Ah

aes.plain

Targets

    • Target

      MAJDALANI INOX S.A Pedido 050820.exe

    • Size

      211KB

    • MD5

      d5fde7482c0a5271e68c211f9e75e7b6

    • SHA1

      c0f734e5c0dcf8fc8527dc4c96bd7bdeb96a245b

    • SHA256

      af9b543c27aeb1cb25c7ced83b727b29ab7dc4a91e28b5693d52f810aedab2f6

    • SHA512

      ab65a13b031632be848f1676dc6459223c8be4caa34b39343fe1f1eb37c65612359b3bd2ca174df5dae519a68b75463be95b2ea8f27bb340b943c13042872d38

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Modifies WinLogon for persistence

    • Async RAT payload

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Command and Control

Web Service

1
T1102

Tasks