General

  • Target

    harddishspoof.rar

  • Size

    1.3MB

  • Sample

    230402-rttlpsgg42

  • MD5

    3c1dc9dda8f8d88795936000f01b7dff

  • SHA1

    b67a8adfbb231064d4fd7947fe51033c02f4b71a

  • SHA256

    0bbe96bf9edd88365697ad1b6ac2e7d6ec935e9db55010b5295e9214fa2b9270

  • SHA512

    183c727d91a0100f756dbb4629c55414ec8d7f5ef55ac57ec20927f4a8766851f9366b1d718eb7b441d29e8a9b9a9f73b4a5e3a64cb7f6d2bd07a2d495e1d0eb

  • SSDEEP

    24576:/MM+loqEdd3r5hidj52eoxClDlHgW2dkIGVw8H0VWVUEtb/KWCq2CkdmqcJUaF:QlANaqQvHgVGVwk0V4UsbMvdmqc/F

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

aslavazgecme.duckdns.org:1000

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      serial.dll

    • Size

      6.4MB

    • MD5

      022f385e55d9d3d42a33b4ca999bf22a

    • SHA1

      5d2f22d51d2e87ae8d1f2c1acd3f08f4fdddf107

    • SHA256

      3b0e1b3af6d2b8b3d02b6cd52849277c9c8066c2ae565e68253d4551c37492d3

    • SHA512

      7fd663b56a2894d1db2ee1032067091f72a4ac301ee8cd392030c6ab186e3bb960d8e35a8591204fc23e9b5a145a2a9ab0092b1c9e6ae5c9c2dc2adf907a891c

    • SSDEEP

      98304:iZavd9tWpmIgMlqVz+rQVe97lwu9cXvBxDh3DYnskFb06vSXvfnjMK3aYLB+8uNl:ivKv8XcXD4K

    Score
    1/10
    • Target

      serialchanger.exe

    • Size

      84KB

    • MD5

      5b32c6f20548089017501a776c12f89a

    • SHA1

      80e01010aa6086ca1360b887712866bdece2f647

    • SHA256

      724b95160127a1fac9bea14139ad0c773a9fd7f4bf0811c950e9a56003e3a49b

    • SHA512

      dbbafe54b326a1bb847ad4acd0145d1742e71cbac0057733cd3f79e82d6747f191d3916d2e02b3710e383b330f0036bf1ce65b5a62fd0dd7bc00dd570ca01aee

    • SSDEEP

      1536:LRLKj9CmSbxKCcS1+/7ryiw2RLku5QavfJKOKcl:L9KhcZccSyiw29waJK9Y

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks