General

  • Target

    4jPil0QfToiS.exe

  • Size

    2.5MB

  • Sample

    230401-v59zlsch3w

  • MD5

    6b1b891a90db1d560b9f56cf6acbdae3

  • SHA1

    329c5393398b05223a2babde37ba7bc6c0fb77d9

  • SHA256

    37d9ca4b7510f0e275b026df8690eec1ae0afffd0658a60e34461c18cab8d950

  • SHA512

    9f12d0a62f00abdc2137160113c868ad42a896d835532ed7035558c0db9e6a346243566ba12a107f2d67cd906996f8d73ad01f404cabde497d1ac0b40449289f

  • SSDEEP

    49152:Xtmcf5nmwTNPWh+jtm7d5QyjaYWeheW5hOgdw7v+c7+OwgUTiF+BI2l:dmo9mwpk+jE7YGaxQOgdij+bgUTN22l

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:1605

skalleper.ddns.net:1605

Mutex

agihasoiuhaoihgoasuqgic

Attributes
  • delay

    1

  • install

    true

  • install_file

    Microsoft Health Service.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      4jPil0QfToiS.exe

    • Size

      2.5MB

    • MD5

      6b1b891a90db1d560b9f56cf6acbdae3

    • SHA1

      329c5393398b05223a2babde37ba7bc6c0fb77d9

    • SHA256

      37d9ca4b7510f0e275b026df8690eec1ae0afffd0658a60e34461c18cab8d950

    • SHA512

      9f12d0a62f00abdc2137160113c868ad42a896d835532ed7035558c0db9e6a346243566ba12a107f2d67cd906996f8d73ad01f404cabde497d1ac0b40449289f

    • SSDEEP

      49152:Xtmcf5nmwTNPWh+jtm7d5QyjaYWeheW5hOgdw7v+c7+OwgUTiF+BI2l:dmo9mwpk+jE7YGaxQOgdij+bgUTN22l

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks