Overview

overview

10

Static

static

7

hyphon_loader.exe

windows7-x64

10

hyphon_loader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hyphon_loader.exe

  • Size

    2.9MB

  • Sample

    230402-xle18sbc41

  • MD5

    f507171192dd73378849dfb8250162cd

  • SHA1

    9a7c58e5ed76de2d73d64ae872da6517ccc9d88f

  • SHA256

    7b3e39a2100d7cc1ce61b8fa8c22f384a920aafd129747c56ca0fcb719122020

  • SHA512

    c1a5a3ef7bbbab501ddae561cfd0485d491e5955e75027d3087fc2a10b2c8bbdfe7c37474c20bf10957ea0ed0c6d80d1c11c5ea5bde3e04e66da9638fa1ddd00

  • SSDEEP

    49152:/Y2zrFhW97EqIm3JV38UlVUpIekMqhKy2F/wZbFTLhzpbEt2Gs3OAvUwn7lV5te6:/zy9Qqf3JVsUlVUFlybfhzi20AB59Cw

Score
10/10
asyncratlegacyevasionratthemidatrojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Legacy

C2

legacyud.duckdns.org:55108

legacyud.duckdns.org:57913
Mutex

4278904ry7saigfhjaksfgfshajkgfshkajfghkjsfghsksfahlgjlhgjfasdGLHSAFLGHJSAHJGEF7024TY4297T6497425642725244256742567567246724567245672436572436579ESFHJIFVGIUAFSGISAYGAFSGYUIAFSGYUAFSGYIUAFSGYUAFSGYSAFYGYUFAIYGAFSYGUIFASYGIFASGY216934624684768246782467824678924

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      hyphon_loader.exe

    • Size

      2.9MB

    • MD5

      f507171192dd73378849dfb8250162cd

    • SHA1

      9a7c58e5ed76de2d73d64ae872da6517ccc9d88f

    • SHA256

      7b3e39a2100d7cc1ce61b8fa8c22f384a920aafd129747c56ca0fcb719122020

    • SHA512

      c1a5a3ef7bbbab501ddae561cfd0485d491e5955e75027d3087fc2a10b2c8bbdfe7c37474c20bf10957ea0ed0c6d80d1c11c5ea5bde3e04e66da9638fa1ddd00

    • SSDEEP

      49152:/Y2zrFhW97EqIm3JV38UlVUpIekMqhKy2F/wZbFTLhzpbEt2Gs3OAvUwn7lV5te6:/zy9Qqf3JVsUlVUFlybfhzi20AB59Cw

    Score
    10/10
    asyncratlegacyevasionratthemidatrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks