Overview

overview

10

Static

static

1.exe

windows7-x64

10

1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.exe

  • Size

    799KB

  • Sample

    220925-s2p4xsgdgq

  • MD5

    98d7999986d63fbd914bddc3d7b7ecf9

  • SHA1

    7c528fb3cc427791482f7a84923a21621cfb9675

  • SHA256

    144a026bb63a29b36a3437094c4f53cf1cb135edcbe15ab06e35fb8759129bfc

  • SHA512

    13bb42bf2078b3407af5786e9c1d057a306cba561519f905e4ba3fa1acaf8687551c70941775daa89394384808b6524659cda354a715e5ab3c3cba558c065616

  • SSDEEP

    12288:v41SrH22qla5w/yXbxixFcRMFQIkeNCSo9mbX8:v0SrH0MW/IbxiYCQIkeNCSBQ

Score
10/10
asyncratpurecrypterwindows system guard runtimeloaderpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Windows System Guard Runtime

C2

217.64.31.3:8808

217.64.31.3:8437
Mutex

Windows System Guard Runtime

Attributes
  • delay

    3

  • install

    false

  • install_file

    Windows Session Manager

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      1.exe

    • Size

      799KB

    • MD5

      98d7999986d63fbd914bddc3d7b7ecf9

    • SHA1

      7c528fb3cc427791482f7a84923a21621cfb9675

    • SHA256

      144a026bb63a29b36a3437094c4f53cf1cb135edcbe15ab06e35fb8759129bfc

    • SHA512

      13bb42bf2078b3407af5786e9c1d057a306cba561519f905e4ba3fa1acaf8687551c70941775daa89394384808b6524659cda354a715e5ab3c3cba558c065616

    • SSDEEP

      12288:v41SrH22qla5w/yXbxixFcRMFQIkeNCSo9mbX8:v0SrH0MW/IbxiYCQIkeNCSBQ

    Score
    10/10
    asyncratpurecrypterwindows system guard runtimeloaderpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Detect PureCrypter loader

      loader

    • Modifies WinLogon for persistence

      persistence

    • PureCrypter

      PureCrypter is a loader which is intended for downloading and executing additional payloads.

      trojanloaderpurecrypter

    • Async RAT payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks