Overview

overview

10

Static

static

1

15-10-10-36.JS.js

windows7-x64

3

15-10-10-36.JS.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    15-10-10-36.JS.js

  • Size

    75KB

  • Sample

    230324-hfsykscf99

  • MD5

    5e2d96e18e9f50558282b844f9af47c6

  • SHA1

    5b5b3ba7c3f233f18c9eaef6903ba9e9c2cfce7b

  • SHA256

    927fcfec5aca05e59135e5679883db421b1d78d3b0ee44e316cb2f3da1ba399d

  • SHA512

    b36b8cca43db5e83f71ed417163703f699e3c1d31f46f7844fbb90adecc3f8ab5efa74969e95acb9d7dfbe67b06df08494d8fd14da32086c995c799d44a67149

  • SSDEEP

    1536:l+++++++++++g+++++++++++M+++++++++++H+++++++++++7+++++++++++I++C:q

Score
10/10
asyncratcairopersistencerat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Cairo

C2

admincairo.linkpc.net:7707

Mutex

AsyncMutex_move

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      15-10-10-36.JS.js

    • Size

      75KB

    • MD5

      5e2d96e18e9f50558282b844f9af47c6

    • SHA1

      5b5b3ba7c3f233f18c9eaef6903ba9e9c2cfce7b

    • SHA256

      927fcfec5aca05e59135e5679883db421b1d78d3b0ee44e316cb2f3da1ba399d

    • SHA512

      b36b8cca43db5e83f71ed417163703f699e3c1d31f46f7844fbb90adecc3f8ab5efa74969e95acb9d7dfbe67b06df08494d8fd14da32086c995c799d44a67149

    • SSDEEP

      1536:l+++++++++++g+++++++++++M+++++++++++H+++++++++++7+++++++++++I++C:q

    Score
    10/10
    asyncratcairopersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Registers COM server for autorun

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

BITS Jobs

1
T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1
T1197

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks