General

  • Target

    Thailand.zip

  • Size

    2KB

  • Sample

    220926-y7ywxabhh2

  • MD5

    0971d1689e1575ed1d990f93a14072c7

  • SHA1

    f0d033e393f51b6b5edbda21d677fc43efc7c943

  • SHA256

    8d73fd55f8ead89828cc7743a144f02619ca38788d701b2069daa3a2e8b722a9

  • SHA512

    edd1e15a74a0ed4b842ce258dc9ea900fc10a61d24f64cec9b8bfd80754b13b0c12ac9f436b48806a8b9a299991ca52e437d917d2095af97df4059ca3c1bf8ac

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

worldpassed.publicvm.com:199

Attributes
delay
3
install
false
install_folder
%AppData%
aes.plain

Targets

    • Target

      Thailand/Consulate-update.lnk

    • Size

      1KB

    • MD5

      dc259fbc059c48cdab784cd6f9e0c5dd

    • SHA1

      d465f6ce2dc9e4e69afe583747a412cc6fb75cda

    • SHA256

      ba0f1aeca62265b9b700b6f88031b156a75ed59aa2541b33e4d710112433130f

    • SHA512

      45c7a54c0b789c5c346dba71e1ccce2230ea8c43da5f0ad916946b3df7435e3e9ec6eaabbc7fb79c34cac37c39fc8b3d2a519d73ba0f352ea6bc31a4e0c7a644

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • UAC bypass

    • Async RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    • Target

      Thailand/Th-Pass/Consulate-update.bat

    • Size

      42KB

    • MD5

      bdd44c10654add788dcba23da9089978

    • SHA1

      33c482e714965393305acbdf9a596e20ce09d5c2

    • SHA256

      11dd5d54f65eedcf032a3424a2fb4bc558f00574a8c26590ef234249f5738638

    • SHA512

      49fdd5de2f6654ac0e9f4ccd0bcfb4db6b60feaa28e39b3678b49907ebaab6970b14c4d5f38a61f07cb2d23ef5a18536dcd483c9b8988fe23a67329c19b19e52

    • SSDEEP

      96:fEOEY6iJOAFOg7OPV1Hzf7yAMHteKOVXO6zfMHg:xxCPQtuY82g

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • UAC bypass

    • Async RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                  Tasks