Overview

overview

10

Static

static

SecuriteIn...70.exe

windows7-x64

8

SecuriteIn...70.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Trojan.InjectNET.14.26458.24870.exe

  • Size

    305KB

  • Sample

    221107-14259sbhf5

  • MD5

    b28a3a496bb68f9c4308ee7d888e7a27

  • SHA1

    7cca1a10272b84abf7da155f913a301533ffd2c4

  • SHA256

    985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9

  • SHA512

    e8b4e5f831a1db67da48175a4a5b22ec7adbe345794979b52fb90ac74c51bcaa8ce6cf80ba8518caa9b3e2bfb330e95d941075bb728bdafefa6c6b54c13847a6

  • SSDEEP

    6144:BoXVkyjpPglDUzV5SZ7KVCgH6kZSPEVRyEPZ3:WlwlDUoqHY4RyKZ3

Score
10/10
asyncratfilemanagersecurityhealthseurviceevasionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthSeurvice

C2

217.64.31.3:8437

Mutex

SecurityHealthSeurvice

Attributes
  • delay

    3

  • install

    false

  • install_file

    SecurityHealthSeurvice.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

FileManager

C2

20.107.115.162:50239

Mutex

FileManager

Attributes
  • delay

    3

  • install

    false

  • install_file

    FileManager

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      SecuriteInfo.com.Trojan.InjectNET.14.26458.24870.exe

    • Size

      305KB

    • MD5

      b28a3a496bb68f9c4308ee7d888e7a27

    • SHA1

      7cca1a10272b84abf7da155f913a301533ffd2c4

    • SHA256

      985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9

    • SHA512

      e8b4e5f831a1db67da48175a4a5b22ec7adbe345794979b52fb90ac74c51bcaa8ce6cf80ba8518caa9b3e2bfb330e95d941075bb728bdafefa6c6b54c13847a6

    • SSDEEP

      6144:BoXVkyjpPglDUzV5SZ7KVCgH6kZSPEVRyEPZ3:WlwlDUoqHY4RyKZ3

    Score
    10/10
    persistenceasyncratfilemanagersecurityhealthseurviceevasionrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks