General

  • Target

    dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06

  • Size

    7KB

  • Sample

    221206-hs9f4agg5t

  • MD5

    5d9fea16ab0d9224b54d72e2321bcaff

  • SHA1

    499d709c1cbc22caf4e5efda230fb4a158714ea4

  • SHA256

    dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06

  • SHA512

    c685ad6526099d126a47528e5230924fdf0762d2b35a0ca73afc1851ec6b4cbb931c08fcd3e419348a10365b04bb44b5561e0f191e4b4793433fd64e118049b4

  • SSDEEP

    192:umI098QkFrDZBXvkHarSNtUqDpU4WWCmWeds:T9eb5kjNt/DgWCmW2s

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes
  • delay

    3

  • install

    false

  • install_file

    SecurityHealtheurvice.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06

    • Size

      7KB

    • MD5

      5d9fea16ab0d9224b54d72e2321bcaff

    • SHA1

      499d709c1cbc22caf4e5efda230fb4a158714ea4

    • SHA256

      dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06

    • SHA512

      c685ad6526099d126a47528e5230924fdf0762d2b35a0ca73afc1851ec6b4cbb931c08fcd3e419348a10365b04bb44b5561e0f191e4b4793433fd64e118049b4

    • SSDEEP

      192:umI098QkFrDZBXvkHarSNtUqDpU4WWCmWeds:T9eb5kjNt/DgWCmW2s

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks