Overview

overview

10

Static

static

yuHJeuffff...IE.ps1

windows7-x64

8

yuHJeuffff...IE.ps1

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    yuHJeufffffff8737uh3uHIE.ps1

  • Size

    4KB

  • Sample

    220911-kepwmsfagr

  • MD5

    7d89d808c112fcacd605d6e2f7880bc0

  • SHA1

    f558936651ec6b68b901ec5a9d393bf010ba3bbe

  • SHA256

    e1ec18d812cd23784d48713517923d54466d6cdb965e145a84dcad71fe34fa3f

  • SHA512

    07722d34b05d7a7fbe3d4d7f86d1b0b5401564ea4c4e5014f1bec1240c60a2e286cdcc491c3ab99eff03354921824655ae4c46575252120fd811ccca883f2cdb

  • SSDEEP

    96:+HLGX17KgHsAXINxdw231em/UmdSO3N+SWt2/Km7W2ODWXOOVOhi+PLK:eGFShemcm8Od+SY2ym7W2ODW+OVOhi+e

Score
10/10
asyncratxmrigdefaultevasionminerpersistencerattrojanupx

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1OJfbJ_dhQBde1xgPcrCZtuc4R0yW7q9h

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1NFPW2Ow39jmb088Vm7c4Lh2mJ767F4nH

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

zerocool888.duckdns.org:8848

zerocool888.duckdns.org:8898
Mutex

DcRatMutex_imlegion

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      yuHJeufffffff8737uh3uHIE.ps1

    • Size

      4KB

    • MD5

      7d89d808c112fcacd605d6e2f7880bc0

    • SHA1

      f558936651ec6b68b901ec5a9d393bf010ba3bbe

    • SHA256

      e1ec18d812cd23784d48713517923d54466d6cdb965e145a84dcad71fe34fa3f

    • SHA512

      07722d34b05d7a7fbe3d4d7f86d1b0b5401564ea4c4e5014f1bec1240c60a2e286cdcc491c3ab99eff03354921824655ae4c46575252120fd811ccca883f2cdb

    • SSDEEP

      96:+HLGX17KgHsAXINxdw231em/UmdSO3N+SWt2/Km7W2ODWXOOVOhi+PLK:eGFShemcm8Od+SY2ym7W2ODW+OVOhi+e

    Score
    10/10
    asyncratxmrigdefaultevasionminerpersistencerattrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • UAC bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks