General

  • Target

    9546477998.zip

  • Size

    353KB

  • Sample

    230313-wbyvxsde3x

  • MD5

    f9347e394a4936069024e5dbd45b23b3

  • SHA1

    8ec00baa9b23ac9564a5a284d767c8779da26b9f

  • SHA256

    f6c53cbe456928a12e348d7688172f78b01fd75fac6c728bd31a57b7e2d4f6ab

  • SHA512

    6fa3758eabc7da5dc62366454d95d455037ac06a11404062a1e6cf92b4e5ec2e0cca5e401ebcd8722c6f707a02c89d918a9308a9a03519dc69611c73eda5cbfa

  • SSDEEP

    6144:GSVvnNZaIj6tbuWKayWJi4wbmDMdwooZnLm3q7eTo7bxOplTA3z16F+i2Vzjz8fD:XVvNZXj65zAWJ+bCMdwHZnq3lTObklTv

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

185.136.161.11:1337

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      5379820f930466a3fd452e5161da9da7771db18a2c88050a9f7a908960e1d7c8

    • Size

      467KB

    • MD5

      de67cd07f4d74cf1b8bbe08fdfd43fac

    • SHA1

      cde4dda4c72d05d7da7c42f71954621bb837f9df

    • SHA256

      5379820f930466a3fd452e5161da9da7771db18a2c88050a9f7a908960e1d7c8

    • SHA512

      cef188b960035b336651746046440c1abc170564a27cebbfe7765bab72c37497c9567e00369b16179b20c274c444e1540d01241bbebce646e725fd17343eaf3d

    • SSDEEP

      12288:wpvP3Pkd834QYN+oAgUULI0yoLdwgCOj:wxkW3pYN+o7YdGj

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • UAC bypass

    • Windows security bypass

    • Async RAT payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks