General

  • Target

    c911b267644232d296b1dd36c37c809f.exe

  • Size

    71KB

  • Sample

    220704-wkp95saeek

  • MD5

    c911b267644232d296b1dd36c37c809f

  • SHA1

    13be3f9d82e211c6f42773dc6314c5602161b4af

  • SHA256

    c327e0bb7b25ead31df024b6a7924edb204c13d5ff2c1ad64af10f913b4d8abc

  • SHA512

    69fa72cbe24ad779cba4b6ca44672a48912f6f7f0a4bfd2a4755a040bf7fa1d00e69f6566868d9c3245f4b77da55979f9c450a155b84fcf3917bfa93502b8ee4

Malware Config

Extracted

Family

asyncrat

Version

true

Botnet

Linkvertise A

Mutex

RRAT_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    Explorer.exe

aes.plain

Targets

    • Target

      c911b267644232d296b1dd36c37c809f.exe

    • Size

      71KB

    • MD5

      c911b267644232d296b1dd36c37c809f

    • SHA1

      13be3f9d82e211c6f42773dc6314c5602161b4af

    • SHA256

      c327e0bb7b25ead31df024b6a7924edb204c13d5ff2c1ad64af10f913b4d8abc

    • SHA512

      69fa72cbe24ad779cba4b6ca44672a48912f6f7f0a4bfd2a4755a040bf7fa1d00e69f6566868d9c3245f4b77da55979f9c450a155b84fcf3917bfa93502b8ee4

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

      suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • XMRig Miner Payload

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks