General

  • Target

    SearchUpdate.rar

  • Size

    18.0MB

  • Sample

    230401-rzxwbaaf37

  • MD5

    2b0f7746240beb3fe03491e16257c513

  • SHA1

    4cc806d0fee4947e4b73b0cba90edc2f232377dd

  • SHA256

    871ceb94e716adf0c8ae35783fc3812fc1a44bae1bac3c37f7db8d9d8ea1ae64

  • SHA512

    684cc3bac4c8e91a412509f0a8d60de0c6e05c82ff2942f7a050d66ad99c1be0b1955cc293ea4f38c1e82688f2d0e46832ba534c9b6236a900b39905d988a2dd

  • SSDEEP

    393216:qCwdUkFk27o277EZR0WqoBAjGPOKgTrjOIRaJ1fsS3ljEotuGk:qCwdLH8u72R0SAjG+nyE0r35EoI1

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:53898

127.0.0.1:16409

147.185.221.181:8848

147.185.221.181:53898

147.185.221.181:16409

Mutex

svschost

Attributes
  • delay

    1

  • install

    true

  • install_file

    svschost.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      SearchUpdate.exe

    • Size

      18.2MB

    • MD5

      6babd670b96f60cfb36c36ed057700e7

    • SHA1

      333b99f54e1605c197bf20193317c54a47474c16

    • SHA256

      a8af6a70435000294079a6ba0b1b47c39940c4ace2633a97ae2746ddefad3232

    • SHA512

      22f59c82452c6bdefa1f00b977b39bd04841c6bc7b37b4310f10e36ea2a7f31b71219dc43f4252955aa8183879285fb3f4d9000d6d1130a45636b42900818fc0

    • SSDEEP

      393216:MaL/oNDjomGNGS/tzJWH8HbnQZpbFpUQnz1JDTRijXTWEi4v+8ixXkJ:/clomGA8WHqbnQLfjz5+dhG8ix0J

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks