General

  • Target

    DFDS4.exe

  • Size

    6KB

  • Sample

    221206-hqx1aage5z

  • MD5

    aacae33f1697d56d6ebbe91f49426380

  • SHA1

    043d947a5ba9db57da8804ee1b3db6411c36a317

  • SHA256

    e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081

  • SHA512

    a150a3f35b00e7553d5aabb6e524cd0770d10714cd255665f4355f9922b91d400d2d2c0c276b18dba2bd999da210a4538754da9f38b819d2a2b3c947a75f6c20

  • SSDEEP

    192:3m1I9XX1FrDl2ND2tLNtUq256XvW4NRcWedV:KI9Xl32NKNt/jvW4NRcW2V

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

C2

85.105.88.221:2531

Attributes
delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%
aes.plain

Targets

    • Target

      DFDS4.exe

    • Size

      6KB

    • MD5

      aacae33f1697d56d6ebbe91f49426380

    • SHA1

      043d947a5ba9db57da8804ee1b3db6411c36a317

    • SHA256

      e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081

    • SHA512

      a150a3f35b00e7553d5aabb6e524cd0770d10714cd255665f4355f9922b91d400d2d2c0c276b18dba2bd999da210a4538754da9f38b819d2a2b3c947a75f6c20

    • SSDEEP

      192:3m1I9XX1FrDl2ND2tLNtUq256XvW4NRcWedV:KI9Xl32NKNt/jvW4NRcW2V

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Tasks