General

  • Target

    0x0009000000008527-56.dat

  • Size

    64KB

  • Sample

    220704-wqvf2saegn

  • MD5

    c75c0d8d46633692c979eb6fbd26094e

  • SHA1

    b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

  • SHA256

    bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

  • SHA512

    5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Malware Config

Extracted

Family

asyncrat

Version

true

Botnet

Linkvertise A

Mutex

RRAT_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    Explorer.exe

aes.plain

Targets

    • Target

      0x0009000000008527-56.dat

    • Size

      64KB

    • MD5

      c75c0d8d46633692c979eb6fbd26094e

    • SHA1

      b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

    • SHA256

      bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

    • SHA512

      5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

      suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    • Async RAT payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks