Overview

overview

10

Static

static

winprofile

windows7-x64

1

winprofile

windows10-1703-x64

10

Resubmissions

09-11-2022 04:21

221109-eyxgyafdcn 1

09-11-2022 04:08

221109-ep773sfcem 1

09-11-2022 03:58

221109-ejt39sdeg9 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4

  • Size

    1.8MB

  • Sample

    221109-ejt39sdeg9

  • MD5

    c233f8e5f9b0441782280bb49b98f415

  • SHA1

    ddd3476e9d61fc2d707354da50b490dea8f37721

  • SHA256

    e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4

  • SHA512

    f5404661a5349fb33e18eb632b12a6df3b7e735346bec08ee6a848375c9d6d71bd846c472bf19eccb34aa407bf16a0e214ca4ebe58f1460d4b10cf4c6fdc153c

  • SSDEEP

    49152:j0OB/3taBrb/TMvO90d7HjmAFd4A64nsfJ4ongXG/jpC3Ohz1:/349m

Score
10/10
asyncratbitratxenarmornewcollectionpasswordpersistenceratrecoveryspywarestealertrojanupx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

C2

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    GoogleDriver.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

C2

nicehash.at:6000

Attributes
  • communication_password

    005f16f264f006578c55237781f36898

  • install_dir

    JavaHelper

  • install_file

    Java.exe

  • tor_process

    tor

Targets

    • Target

      e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4

    • Size

      1.8MB

    • MD5

      c233f8e5f9b0441782280bb49b98f415

    • SHA1

      ddd3476e9d61fc2d707354da50b490dea8f37721

    • SHA256

      e6dcf394196b6a305e85eae91e900f9c5d639a51fa11def8503750a3e4d8daa4

    • SHA512

      f5404661a5349fb33e18eb632b12a6df3b7e735346bec08ee6a848375c9d6d71bd846c472bf19eccb34aa407bf16a0e214ca4ebe58f1460d4b10cf4c6fdc153c

    • SSDEEP

      49152:j0OB/3taBrb/TMvO90d7HjmAFd4A64nsfJ4ongXG/jpC3Ohz1:/349m

    Score
    10/10
    asyncratbitratxenarmornewcollectionpasswordpersistenceratrecoveryspywarestealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Async RAT payload

      rat

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks