Resubmissions

11/03/2023, 05:16

230311-fyb2nsgf48 3

08/03/2023, 02:49

230308-dbf11adf75 10

General

  • Target

    hYPLolk_400x400.png

  • Size

    107KB

  • Sample

    230308-dbf11adf75

  • MD5

    da763a96d8c39ecffcbe693b82e8f974

  • SHA1

    46009d6e7b34fb03ac8afb527c6ccdb9f5f24321

  • SHA256

    df9cab3f188e2b220eb85971be3a417ba4019c3d2859eee7f9fadf17a3be9ff7

  • SHA512

    9c7359e75d1c6bd320797bfafa1be0d099487e421f47b485389e6d93d0686bc4045b8af894e4dac91b54124412d5da7afdd8addb3deb58d43ca758e2a3f5cf54

  • SSDEEP

    3072:HGyFqHnZD8Pn7GCE7cKs77FA+i4LPlbXwZjoh7+V7s:my4ZD8/7GTs77FhRAZ4+ls

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

coolmaneurokoolcom-26401.portmap.host:26401

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    ABDJCM.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      hYPLolk_400x400.png

    • Size

      107KB

    • MD5

      da763a96d8c39ecffcbe693b82e8f974

    • SHA1

      46009d6e7b34fb03ac8afb527c6ccdb9f5f24321

    • SHA256

      df9cab3f188e2b220eb85971be3a417ba4019c3d2859eee7f9fadf17a3be9ff7

    • SHA512

      9c7359e75d1c6bd320797bfafa1be0d099487e421f47b485389e6d93d0686bc4045b8af894e4dac91b54124412d5da7afdd8addb3deb58d43ca758e2a3f5cf54

    • SSDEEP

      3072:HGyFqHnZD8Pn7GCE7cKs77FA+i4LPlbXwZjoh7+V7s:my4ZD8/7GTs77FhRAZ4+ls

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • UAC bypass

    • Async RAT payload

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks