General

  • Target

    tmp

  • Size

    88KB

  • Sample

    220728-ntm75sfch5

  • MD5

    a3d6ec93a72892f8617aa52479e25288

  • SHA1

    effd448f53b2cbd7686ec5fdf09fc417957fc16d

  • SHA256

    77d67f012ba8a050c1885f2ab7b7b9057c1af8720ee3208b144526e1ea1652d4

  • SHA512

    961ea88112aae0198f6760de147d9a3d98ce2d4e833a8868eaee2c4e40c0504f5f8052b9c87843960642c795d31132cec2d3a391d5aa43f8a2d7413726214d7b

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

dropy.ddns.net:22

dropy1.ddns.net:22

dropy2.ddns.net:22

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      tmp

    • Size

      88KB

    • MD5

      a3d6ec93a72892f8617aa52479e25288

    • SHA1

      effd448f53b2cbd7686ec5fdf09fc417957fc16d

    • SHA256

      77d67f012ba8a050c1885f2ab7b7b9057c1af8720ee3208b144526e1ea1652d4

    • SHA512

      961ea88112aae0198f6760de147d9a3d98ce2d4e833a8868eaee2c4e40c0504f5f8052b9c87843960642c795d31132cec2d3a391d5aa43f8a2d7413726214d7b

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Detect Neshta payload

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Async RAT payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks