General

  • Target

    BOLETA DE CITACION SEPTIEMBRE.exe

  • Size

    1MB

  • Sample

    220929-va6npscddl

  • MD5

    ff034e670af40d53470dc8f1536fd58e

  • SHA1

    cc48f6ec06ce2f4a5d11d4ba693413c807fb2c7d

  • SHA256

    e490c0eb6beec707ee6a46816aa7b765a98a5a637f66a854948270ed06b2332a

  • SHA512

    4bb24683fb06a078ff448918f4e118015d88eb03e07ee4a66cf3200e15c5eb4888fd59349102932a3048eb24371bedd1909ef42aa9ac0d1a1b19d62eff24a5d3

  • SSDEEP

    49152:pHIKvoo917KPKE7xPd9gAKl1mphxF1ZQik92/hRWGQX:tx92Kb5mzr1ljPWJX

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dfdagreyt.duckdns.org:8091

Attributes
delay
3
install
false
install_folder
%AppData%
aes.plain

Targets

    • Target

      BOLETA DE CITACION SEPTIEMBRE.exe

    • Size

      1MB

    • MD5

      ff034e670af40d53470dc8f1536fd58e

    • SHA1

      cc48f6ec06ce2f4a5d11d4ba693413c807fb2c7d

    • SHA256

      e490c0eb6beec707ee6a46816aa7b765a98a5a637f66a854948270ed06b2332a

    • SHA512

      4bb24683fb06a078ff448918f4e118015d88eb03e07ee4a66cf3200e15c5eb4888fd59349102932a3048eb24371bedd1909ef42aa9ac0d1a1b19d62eff24a5d3

    • SSDEEP

      49152:pHIKvoo917KPKE7xPd9gAKl1mphxF1ZQik92/hRWGQX:tx92Kb5mzr1ljPWJX

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Tasks