General
-
Target
hYPLolk_400x400.png
-
Size
107KB
-
Sample
230308-dbf11adf75
-
MD5
da763a96d8c39ecffcbe693b82e8f974
-
SHA1
46009d6e7b34fb03ac8afb527c6ccdb9f5f24321
-
SHA256
df9cab3f188e2b220eb85971be3a417ba4019c3d2859eee7f9fadf17a3be9ff7
-
SHA512
9c7359e75d1c6bd320797bfafa1be0d099487e421f47b485389e6d93d0686bc4045b8af894e4dac91b54124412d5da7afdd8addb3deb58d43ca758e2a3f5cf54
-
SSDEEP
3072:HGyFqHnZD8Pn7GCE7cKs77FA+i4LPlbXwZjoh7+V7s:my4ZD8/7GTs77FhRAZ4+ls
Static task
static1
Malware Config
Extracted
asyncrat
1.0.7
Default
coolmaneurokoolcom-26401.portmap.host:26401
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
ABDJCM.exe
-
install_folder
%AppData%
Targets
-
-
Target
hYPLolk_400x400.png
-
Size
107KB
-
MD5
da763a96d8c39ecffcbe693b82e8f974
-
SHA1
46009d6e7b34fb03ac8afb527c6ccdb9f5f24321
-
SHA256
df9cab3f188e2b220eb85971be3a417ba4019c3d2859eee7f9fadf17a3be9ff7
-
SHA512
9c7359e75d1c6bd320797bfafa1be0d099487e421f47b485389e6d93d0686bc4045b8af894e4dac91b54124412d5da7afdd8addb3deb58d43ca758e2a3f5cf54
-
SSDEEP
3072:HGyFqHnZD8Pn7GCE7cKs77FA+i4LPlbXwZjoh7+V7s:my4ZD8/7GTs77FhRAZ4+ls
-
Async RAT payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Bootkit
1Modify Existing Service
1Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1