General

  • Target

    exodus-windows-x64-22.9.8.exe

  • Size

    14MB

  • Sample

    221002-td4g3sded8

  • MD5

    ca131fbef972abf335bf3e6b1a35351f

  • SHA1

    e749e8fab09bdcf34c7ea51a71da789220407547

  • SHA256

    4644d5d8f56afb7b2095ca5c209e840ad3a7dddaa294fa6a074283f0f6b1d956

  • SHA512

    dc2b354acbeb29d06c9364b48cf13431b6a67fa4995c5667ec6d1511119763d67e92345a651a1649f072600cb42b858e84e78dc2b6b98370737a01b3cc81a1f7

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Exodus

C2

operador.ddns.me:4448

Attributes
delay
1
install
true
install_file
Exodus.exe
install_folder
%AppData%
aes.plain

Targets

    • Target

      exodus-windows-x64-22.9.8.exe

    • Size

      14MB

    • MD5

      ca131fbef972abf335bf3e6b1a35351f

    • SHA1

      e749e8fab09bdcf34c7ea51a71da789220407547

    • SHA256

      4644d5d8f56afb7b2095ca5c209e840ad3a7dddaa294fa6a074283f0f6b1d956

    • SHA512

      dc2b354acbeb29d06c9364b48cf13431b6a67fa4995c5667ec6d1511119763d67e92345a651a1649f072600cb42b858e84e78dc2b6b98370737a01b3cc81a1f7

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation