General

  • Target

    Doc#27350.doc

  • Size

    343KB

  • Sample

    220704-wzas1acfc8

  • MD5

    85023e48359b4e870cbed0b920b79700

  • SHA1

    db4e114dfabeda0a1a903cbe8ba74d0c657a2468

  • SHA256

    8db7e417fd4e3745b61868559ebad0429ca000d0dc5db7f24ab256f7e62d0b86

  • SHA512

    001c726a71704b348a0878811a93d078e1b639c6b6d131914de48f4c0a33ddfdf26be70840c8055a8c59735ca1017cc6d9c8c421a44f4ff1a697d762c49f195b

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Eloasync

C2

91.192.100.7:8282

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    images.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Doc#27350.doc

    • Size

      343KB

    • MD5

      85023e48359b4e870cbed0b920b79700

    • SHA1

      db4e114dfabeda0a1a903cbe8ba74d0c657a2468

    • SHA256

      8db7e417fd4e3745b61868559ebad0429ca000d0dc5db7f24ab256f7e62d0b86

    • SHA512

      001c726a71704b348a0878811a93d078e1b639c6b6d131914de48f4c0a33ddfdf26be70840c8055a8c59735ca1017cc6d9c8c421a44f4ff1a697d762c49f195b

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks