General

  • Target

    confirmation-swift-payment.js

  • Size

    1.5MB

  • Sample

    230508-kd7p3ahf92

  • MD5

    9431e2a625b43dcbdde6c9f7669c653c

  • SHA1

    982c4e8dac9603148295e7a18532b668255f9ca1

  • SHA256

    1139866f47d640744a522f86679627e568b52197f58b6484355b6c4544a6da22

  • SHA512

    27954e4a559bfceb63776f2ad2557af26fcb12418614ed77d9889c0328d8f1aaf3e3157380d97c7b6484edb9a83daf04734593880dea257f05f14ac7d105ae9b

  • SSDEEP

    24576:QRGa/yfp2xvks0uzuM6auN58aNRHINcemsHtE/+sSs955FBgnGAcbvMvfklxepUL:48pafKMz4RHoceXG/+sSs/Bgnw1

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

37.120.210.219:48408

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      confirmation-swift-payment.js

    • Size

      1.5MB

    • MD5

      9431e2a625b43dcbdde6c9f7669c653c

    • SHA1

      982c4e8dac9603148295e7a18532b668255f9ca1

    • SHA256

      1139866f47d640744a522f86679627e568b52197f58b6484355b6c4544a6da22

    • SHA512

      27954e4a559bfceb63776f2ad2557af26fcb12418614ed77d9889c0328d8f1aaf3e3157380d97c7b6484edb9a83daf04734593880dea257f05f14ac7d105ae9b

    • SSDEEP

      24576:QRGa/yfp2xvks0uzuM6auN58aNRHINcemsHtE/+sSs955FBgnGAcbvMvfklxepUL:48pafKMz4RHoceXG/+sSs/Bgnw1

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks