Overview

overview

10

Static

static

1

Statment 1....JS.js

windows7-x64

3

Statment 1....JS.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Statment 1412500240.JS.js

  • Size

    78KB

  • Sample

    230323-jan8wagc2w

  • MD5

    27b793bfdccc9569e57aaa7aa6fbc321

  • SHA1

    8877645413921811cd6320d45a87b85be8d26033

  • SHA256

    8369947367d812406853c2bcac444b1a6c374c2816df0ecf1d126c33c80ffca2

  • SHA512

    d52e9af11b9ccbeb44c44232ac638a13fe53d09a6b417ee654fcc93aa8a41ff9de5f3895cdfb7a0e50e5292ae808d6066070cdb820313e4da4dda1e63c4eb14d

  • SSDEEP

    96:ABKpBKpBKpBKpBKpBKpBKpBKpBKpBKpBKpBKXBKpBKpBKpBKpBKpBKpBKpBKpBK+:rnoDJsVNq

Score
10/10
asyncratnew grapitypersistencerat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

New Grapity

C2

services.work.gd:555

Mutex

AsyncMutex

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Statment 1412500240.JS.js

    • Size

      78KB

    • MD5

      27b793bfdccc9569e57aaa7aa6fbc321

    • SHA1

      8877645413921811cd6320d45a87b85be8d26033

    • SHA256

      8369947367d812406853c2bcac444b1a6c374c2816df0ecf1d126c33c80ffca2

    • SHA512

      d52e9af11b9ccbeb44c44232ac638a13fe53d09a6b417ee654fcc93aa8a41ff9de5f3895cdfb7a0e50e5292ae808d6066070cdb820313e4da4dda1e63c4eb14d

    • SSDEEP

      96:ABKpBKpBKpBKpBKpBKpBKpBKpBKpBKpBKpBKXBKpBKpBKpBKpBKpBKpBKpBKpBK+:rnoDJsVNq

    Score
    10/10
    asyncratnew grapitypersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Registers COM server for autorun

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

BITS Jobs

1
T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1
T1197

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks