General

  • Target

    ExLoader_Installer.exe

  • Size

    23.3MB

  • Sample

    230325-pplzyseg7y

  • MD5

    951a41f877cd666aad445a28516aca9e

  • SHA1

    eac105dff6289c2a0355e7afa6229fe8dcd9f027

  • SHA256

    7e0e284b6476f78bb222bd56dedf9a5a3e89ff36a356741ac5e0f9f3c99651db

  • SHA512

    48e778af1f105ea0447cde0138a5ec8d8ec7bcf3c026cf3534308cd14af12e558a17360491179dab1f541be23efe026a2b9f573c4df60c0cdfe278f9bea74e7a

  • SSDEEP

    393216:YlL91czZyTEHvRePi3ITxqn6sGyuB0u01kjV47GjwwYYxn:cszFgMxnumjsVqY0Y

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/vNcCt60A

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

Mutex

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/3Z9zi18j

aes.plain

Targets

    • Target

      ExLoader_Installer.exe

    • Size

      23.3MB

    • MD5

      951a41f877cd666aad445a28516aca9e

    • SHA1

      eac105dff6289c2a0355e7afa6229fe8dcd9f027

    • SHA256

      7e0e284b6476f78bb222bd56dedf9a5a3e89ff36a356741ac5e0f9f3c99651db

    • SHA512

      48e778af1f105ea0447cde0138a5ec8d8ec7bcf3c026cf3534308cd14af12e558a17360491179dab1f541be23efe026a2b9f573c4df60c0cdfe278f9bea74e7a

    • SSDEEP

      393216:YlL91czZyTEHvRePi3ITxqn6sGyuB0u01kjV47GjwwYYxn:cszFgMxnumjsVqY0Y

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

2
T1158

Defense Evasion

Hidden Files and Directories

2
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks