Overview

overview

10

Static

static

dawdwadaw.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dawdwadaw.scr

  • Size

    681KB

  • Sample

    220823-r3etxafdgn

  • MD5

    0cfa5f7c008e3dc2df275a99aef9cbbb

  • SHA1

    51ebdbc8a8227667b20b5cb40f17ff1bb8550098

  • SHA256

    e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1

  • SHA512

    bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e

  • SSDEEP

    12288:C3c6vReZYEe4Wp0ZtExFUH17EjGh1aoNRtwamePvNVtQe:C3c6vAZYd4jKoiIFRmePvNVtn

Score
10/10
asyncratblacknetsecurityhealth servicewindows defendersmartscreenwindowssystem guardruntimexsfcrgdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WindowsSystem GuardRuntime

C2

217.64.31.3:8437

Mutex

WindowsSystem GuardRuntime

Attributes
  • delay

    3

  • install

    false

  • install_file

    WindowsSystem Guard Runtime.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

XSFcRG

C2

http://fakirlerclub.xyz/blacknet

Mutex

BN[ac95ac7ad595b3dbd5ad73e4bf7daac9]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    false

  • usb_spread

    false

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealth Service

C2

217.64.31.3:8437

Mutex

SecurityHealth Service

Attributes
  • delay

    3

  • install

    false

  • install_file

    SecurityHealth Service.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Windows DefenderSmartScreen

C2

217.64.31.3:9742

Mutex

Windows DefenderSmartScreen

Attributes
  • delay

    1

  • install

    false

  • install_file

    Windows DefenderSmartScreen

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      dawdwadaw.scr

    • Size

      681KB

    • MD5

      0cfa5f7c008e3dc2df275a99aef9cbbb

    • SHA1

      51ebdbc8a8227667b20b5cb40f17ff1bb8550098

    • SHA256

      e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1

    • SHA512

      bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e

    • SSDEEP

      12288:C3c6vReZYEe4Wp0ZtExFUH17EjGh1aoNRtwamePvNVtQe:C3c6vAZYd4jKoiIFRmePvNVtn

    Score
    10/10
    asyncratblacknetsecurityhealth servicewindows defendersmartscreenwindowssystem guardruntimexsfcrgdiscoverypersistenceratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

      trojanblacknet

    • BlackNET payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

      persistence

    • Async RAT payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks