Overview

overview

10

Static

static

10

9f7d48fd36...d6.exe

windows7_x64

9f7d48fd36...d6.exe

windows10-2004_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f7d48fd36a1493b4c25131f95339bd6.exe

  • Size

    48KB

  • Sample

    220707-fy9b6sfgb3

  • MD5

    9f7d48fd36a1493b4c25131f95339bd6

  • SHA1

    d6623ce807d0c8edfaa455f978912d2dda9e83ea

  • SHA256

    80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0

  • SHA512

    169b335730e20f35cf0eff52c05c805de2dfc9f66245682bfffbce9ee34237141cc1837e5ecc8e1ca19e66dd128aa027f033161002905042b589aa1a2d86dae0

Score
10/10
asyncratdefaultevasionratspywarestealersuricataupxvmprotect

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

7.tcp.eu.ngrok.io:12728

Mutex

whrjiouwrhjnwui

Attributes
  • delay

    1

  • install

    true

  • install_file

    MsEdge.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      9f7d48fd36a1493b4c25131f95339bd6.exe

    • Size

      48KB

    • MD5

      9f7d48fd36a1493b4c25131f95339bd6

    • SHA1

      d6623ce807d0c8edfaa455f978912d2dda9e83ea

    • SHA256

      80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0

    • SHA512

      169b335730e20f35cf0eff52c05c805de2dfc9f66245682bfffbce9ee34237141cc1837e5ecc8e1ca19e66dd128aa027f033161002905042b589aa1a2d86dae0

    Score
    10/10
    asyncratdefaultratspywarestealersuricatavmprotectevasionupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

      suricata

    • Async RAT payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks