General

  • Target

    a4a07aba20cfae97abe924cc323a6614

  • Size

    1.1MB

  • Sample

    220721-yvd1zahhc2

  • MD5

    a4a07aba20cfae97abe924cc323a6614

  • SHA1

    6973d915762cafe75102b6f907e1aeb4232d22d7

  • SHA256

    78915bc8ddd68219bd15458305214f8dbb4d5f24d90a91ad044be8a2dc79e0b4

  • SHA512

    a60a057117f5ce27243d1327bb0454ef5a33a9c6560ca9ddb378d4c07779f28dabb35b8571154811525fb261c8347c24e182dfbad5d4be56f720c211d4007b99

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

luispereiralora09.con-ip.com:1990

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

albertogiraldolora09.duckdns.org:1991

Mutex

c033a676902f4

Attributes
  • reg_key

    c033a676902f4

  • splitter

    @!#&^%$

Targets

    • Target

      a4a07aba20cfae97abe924cc323a6614

    • Size

      1.1MB

    • MD5

      a4a07aba20cfae97abe924cc323a6614

    • SHA1

      6973d915762cafe75102b6f907e1aeb4232d22d7

    • SHA256

      78915bc8ddd68219bd15458305214f8dbb4d5f24d90a91ad044be8a2dc79e0b4

    • SHA512

      a60a057117f5ce27243d1327bb0454ef5a33a9c6560ca9ddb378d4c07779f28dabb35b8571154811525fb261c8347c24e182dfbad5d4be56f720c211d4007b99

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

      suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks