Overview

overview

10

Static

static

531bf9fac0...2f.exe

windows7-x64

10

531bf9fac0...2f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f

  • Size

    9.9MB

  • Sample

    221130-v4pbhsba49

  • MD5

    656725f09aa6a07f41fef88b362ad8b9

  • SHA1

    9b4949a9d2d7ddbbefb5bb553bed4a39d2b392c9

  • SHA256

    531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f

  • SHA512

    27eec396079486535a8a870ed2c8d1c4fa97cca0cdf72a5331516c0d7f41d43b84e68844a61f0b9722c1a1da96300e7e29303c3edade635df67807a42003038b

  • SSDEEP

    6144:YJl5cP2e8F3cUAojUmFvMKpiC+afJRda3RIkvNIyI/VEpAl/JgIj0oTYibGRrgUW:MiTTeLe0D4

Score
10/10
asyncratkatayumievasionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Katayumi

C2

normal-knife.auto.playit.gg:54950

normal-knife.auto.playit.gg:7707
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    ZxKKE4oK8.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f

    • Size

      9.9MB

    • MD5

      656725f09aa6a07f41fef88b362ad8b9

    • SHA1

      9b4949a9d2d7ddbbefb5bb553bed4a39d2b392c9

    • SHA256

      531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f

    • SHA512

      27eec396079486535a8a870ed2c8d1c4fa97cca0cdf72a5331516c0d7f41d43b84e68844a61f0b9722c1a1da96300e7e29303c3edade635df67807a42003038b

    • SSDEEP

      6144:YJl5cP2e8F3cUAojUmFvMKpiC+afJRda3RIkvNIyI/VEpAl/JgIj0oTYibGRrgUW:MiTTeLe0D4

    Score
    10/10
    evasiontrojanasyncratkatayumirat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

4
T1089

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks