Overview

overview

10

Static

static

6af98c9c6a...01.exe

windows7-x64

10

6af98c9c6a...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6af98c9c6ad382f3dddff52c8de96e2f831d0dbb0f1ab0f9a9457ba58d538601

  • Size

    765KB

  • Sample

    221130-xa928shb7x

  • MD5

    ff2641ce33fd64ca3bcdb8f95956ccfc

  • SHA1

    a4b0b0b09d1952f49600fed2b82c15e8452c515d

  • SHA256

    6af98c9c6ad382f3dddff52c8de96e2f831d0dbb0f1ab0f9a9457ba58d538601

  • SHA512

    49197ece1e9179326a833cb3a02d6dbfd0fda36dc09bd14a2fa794f735520ac58124626a481a64f4c0a6c733d3cf692f793aa857dffbe662eab9116dd3817038

  • SSDEEP

    1536:oC/6GStcxcG+1SwGp7FUcETgrggggEE2vBgcrZ+HsaJ7FDwwoNGkNecQeRSHcp3z:

Score
10/10
asyncratdefaultpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dhayan.ip-dynamic.com:6606

dhayan.ip-dynamic.com:7707

dhayan.ip-dynamic.com:8808

192.168.1.192:6606

192.168.1.192:7707

192.168.1.192:8808
Mutex

kfjgkmlkgf4g516d51fg54r1eg651fv65d1g65sda1g616g51f6g51rg89a7

Attributes
  • delay

    3

  • install

    false

  • install_file

    tidore update crack.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      6af98c9c6ad382f3dddff52c8de96e2f831d0dbb0f1ab0f9a9457ba58d538601

    • Size

      765KB

    • MD5

      ff2641ce33fd64ca3bcdb8f95956ccfc

    • SHA1

      a4b0b0b09d1952f49600fed2b82c15e8452c515d

    • SHA256

      6af98c9c6ad382f3dddff52c8de96e2f831d0dbb0f1ab0f9a9457ba58d538601

    • SHA512

      49197ece1e9179326a833cb3a02d6dbfd0fda36dc09bd14a2fa794f735520ac58124626a481a64f4c0a6c733d3cf692f793aa857dffbe662eab9116dd3817038

    • SSDEEP

      1536:oC/6GStcxcG+1SwGp7FUcETgrggggEE2vBgcrZ+HsaJ7FDwwoNGkNecQeRSHcp3z:

    Score
    10/10
    persistenceasyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Modifies WinLogon for persistence

      persistence

    • Async RAT payload

      rat

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks