General

  • Target

    Document#4443-2525-2461.iso

  • Size

    544KB

  • Sample

    220926-qn8b8sahd7

  • MD5

    af81692bd7a3fd6b7a6ee02f0c7ebcb7

  • SHA1

    43ede2a0efbac1192b2e5917dfff79a5c5e46964

  • SHA256

    64ed36c7f960badf5ddbc305800988f28e6e3fbc43698a4385bade60ea922237

  • SHA512

    136dd184e1cc6cefc968d1460e2ac2d3e911fce95f1039e3cb2782d110f6d4e9185c6cd436acbf3e236ceff47150c8d48a25c9ab912bdc33fc3ec8a4fad6d5c5

  • SSDEEP

    96:5dn3NHrq6cocqajqnloDRRxhmmLCCWG6MG69G6ZG6AG6DG69G65G6QG69G6FG6l3:poh7on3UkvDke16

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cibremustofrltrixifiqislfrus3ldrunaxiwokuro.s3.eu-west-3.amazonaws.com/Document.pdf

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

27/9

C2

d1x3x.selfip.com:6666

d1x3x.linkpc.net:6666

Mutex

AsyncMutex_WithNewHost

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Document#4443-2525-2461.bat

    • Size

      11KB

    • MD5

      c9b538891dc3400a88149c458de9cf5f

    • SHA1

      b1a2360126727576f03869d2d91d3ce16603cd16

    • SHA256

      8f9a07191ed4133d3d4a282c3469f47e8976724256297951fdfbccdea9f1462d

    • SHA512

      8fa871679922eb507fa16196ca18f3c545e6586f2021d520837863c6659b84d879df93e2d4b890e7e52677129e419e16f6083cde371e2102cccf76b10e334ec2

    • SSDEEP

      96:kG6MG69G6ZG6AG6DG69G65G6QG69G6FG6lk9G6bG64G6mG6rDTG6rG6tG697IkIc:2n3UkvDke166

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks