Resubmissions

10-03-2023 22:01

230310-1xerdshc7x 7

14-02-2023 16:10

230214-tmg1faee72 7

31-01-2023 07:47

230131-jmw49afe54 10

26-12-2022 21:03

221226-zv36jaha4x 10

24-12-2022 19:27

221224-x6gessdf7z 10

13-12-2022 03:51

221213-eenexsgc4v 10

12-12-2022 11:33

221212-npbnjsbc28 10

06-12-2022 06:29

221206-g8658sca54 8

05-12-2022 06:17

221205-g19ldsgh7x 10

General

  • Target

    RustExternal_nls.exe

  • Size

    658KB

  • Sample

    221205-g19ldsgh7x

  • MD5

    1ab8dbca5e2bba39723f00907d266de7

  • SHA1

    729cb808637568f20ac886b3fac5f3cf5ff01dee

  • SHA256

    c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

  • SHA512

    d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081

  • SSDEEP

    12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

C2

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes
  • delay

    3

  • install

    false

  • install_file

    System Guard Runtime

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes
  • delay

    3

  • install

    false

  • install_file

    SecurityHealtheurvice.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      RustExternal_nls.exe

    • Size

      658KB

    • MD5

      1ab8dbca5e2bba39723f00907d266de7

    • SHA1

      729cb808637568f20ac886b3fac5f3cf5ff01dee

    • SHA256

      c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

    • SHA512

      d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081

    • SSDEEP

      12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks