General

  • Target

    BOLETA DE CITACION POLICIA NACIONAL.exe

  • Size

    2MB

  • Sample

    221002-kyl9vsgdd7

  • MD5

    fd0875a959c9b325989d132991c27610

  • SHA1

    7449341ee58c6ed396ce5687450ec59ea13904d4

  • SHA256

    3610699951e813e124b8b4a874b96eedd23db3028cf91624db95521608dd0787

  • SHA512

    087b43709d00409673690e9956ec2c711ab482568d0032542ae167d8868d676746b661fae812b3eed2413039d01371fe91513d98156c7f916724754c0c8fe131

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

ewtwet.duckdns.org:8091

Attributes
delay
3
install
false
install_folder
%AppData%
aes.plain

Targets

    • Target

      BOLETA DE CITACION POLICIA NACIONAL.exe

    • Size

      2MB

    • MD5

      fd0875a959c9b325989d132991c27610

    • SHA1

      7449341ee58c6ed396ce5687450ec59ea13904d4

    • SHA256

      3610699951e813e124b8b4a874b96eedd23db3028cf91624db95521608dd0787

    • SHA512

      087b43709d00409673690e9956ec2c711ab482568d0032542ae167d8868d676746b661fae812b3eed2413039d01371fe91513d98156c7f916724754c0c8fe131

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation