Overview

overview

10

Static

static

AWB#530532...df.exe

windows7_x64

10

AWB#530532...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c7051d2b3a809e748a98a87a0a75270000a94bb0adc035965516c1573c49671

  • Size

    157KB

  • Sample

    220521-xla3aafccq

  • MD5

    3e4e5c3de3b524ab2b2bdc0d5e6b2b63

  • SHA1

    680d68b7b7695d637a7071e592eefd4dc0d93f45

  • SHA256

    6c7051d2b3a809e748a98a87a0a75270000a94bb0adc035965516c1573c49671

  • SHA512

    f09d675e65c34f6016fbe4094555b0db1c6543271451d7be816547b378f3a88e20dd8cc679927d76ac108ce53c757ad4cb53cbf20bdef7df2e3d785473f03ba1

Score
10/10
asyncratawkasundaynightcoreentityratrezer0

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

AWKASUNDAYNIGHT

Mutex

chizzy25@!7^UPC

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/HKYwiN9V

aes.plain

Targets

    • Target

      AWB#5305323204669,pdf.exe

    • Size

      233KB

    • MD5

      dab03f72d77a672205cc10130d2654c6

    • SHA1

      83241c5520fdfc26aa7fe4d282f7e7de9018616b

    • SHA256

      79125331a3e97dca7542b0f146bcb41429eebf7b790014317463c9239601421a

    • SHA512

      1fad7ea231e95080ceef91d02d972db60a8d9096a7d6b3c7d50243b62eb7b07999d1af919787c11f9d3bae8d0fe257e4b97b6fada39e0cf436ef6d00423b5262

    Score
    10/10
    asyncratawkasundaynightcoreentityratrezer0

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Async RAT payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks