Overview

overview

10

Static

static

Thailand/C...te.lnk

windows7-x64

3

Thailand/C...te.lnk

windows10-2004-x64

10

Thailand/T...te.bat

windows7-x64

8

Thailand/T...te.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Thailand.zip

  • Size

    2KB

  • Sample

    220926-y7ywxabhh2

  • MD5

    0971d1689e1575ed1d990f93a14072c7

  • SHA1

    f0d033e393f51b6b5edbda21d677fc43efc7c943

  • SHA256

    8d73fd55f8ead89828cc7743a144f02619ca38788d701b2069daa3a2e8b722a9

  • SHA512

    edd1e15a74a0ed4b842ce258dc9ea900fc10a61d24f64cec9b8bfd80754b13b0c12ac9f436b48806a8b9a299991ca52e437d917d2095af97df4059ca3c1bf8ac

Score
10/10
asyncratdefaultevasionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

worldpassed.publicvm.com:199

Mutex

AsyncMutex_6SI8OkBrC

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Thailand/Consulate-update.lnk

    • Size

      1KB

    • MD5

      dc259fbc059c48cdab784cd6f9e0c5dd

    • SHA1

      d465f6ce2dc9e4e69afe583747a412cc6fb75cda

    • SHA256

      ba0f1aeca62265b9b700b6f88031b156a75ed59aa2541b33e4d710112433130f

    • SHA512

      45c7a54c0b789c5c346dba71e1ccce2230ea8c43da5f0ad916946b3df7435e3e9ec6eaabbc7fb79c34cac37c39fc8b3d2a519d73ba0f352ea6bc31a4e0c7a644

    Score
    10/10
    asyncratdefaultevasionrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • UAC bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Thailand/Th-Pass/Consulate-update.bat

    • Size

      42KB

    • MD5

      bdd44c10654add788dcba23da9089978

    • SHA1

      33c482e714965393305acbdf9a596e20ce09d5c2

    • SHA256

      11dd5d54f65eedcf032a3424a2fb4bc558f00574a8c26590ef234249f5738638

    • SHA512

      49fdd5de2f6654ac0e9f4ccd0bcfb4db6b60feaa28e39b3678b49907ebaab6970b14c4d5f38a61f07cb2d23ef5a18536dcd483c9b8988fe23a67329c19b19e52

    • SSDEEP

      96:fEOEY6iJOAFOg7OPV1Hzf7yAMHteKOVXO6zfMHg:xxCPQtuY82g

    Score
    10/10
    asyncratdefaultevasionrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • UAC bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Bypass User Account Control

2
T1088

Scheduled Task

2
T1053

Defense Evasion

Bypass User Account Control

2
T1088

Disabling Security Tools

2
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks