General

  • Target

    ONAYLA.gz.zip

  • Size

    974KB

  • Sample

    230526-ntewrsfc38

  • MD5

    84d06fb1c7e2ac6556e9dc48cb2ec4be

  • SHA1

    a5d22d83d2ba5fd71308e1f95d26920db8f81d24

  • SHA256

    0a0d29e382423a87fc883e03c6e198ed06ee337bc28ee8c42e405f4ecad4759f

  • SHA512

    1da258cf5bf9ee0dcc5cd6c809ad28a14ff5a36bded30902c3e435575cf41889f8d18ece1bcf086ab03223130d7379722cd0248ae1a5d462ed1b907c299dd283

  • SSDEEP

    24576:WgfXvAS6uwJ36KrtjGcE9L+qzfDe6HHAUf1ZBK:t4JKKrty2q1HE

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MxGroup

C2

frontbrockmepronto.ddns.net:4343

frontbrockmepronto.ddns.net:5757

frontbrockmepronto.sytes.net:4343

frontbrockmepronto.sytes.net:5757

Mutex

AsyncMutex_6SI8OkPtD

Attributes
  • delay

    3

  • install

    true

  • install_file

    procs.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      ONAYLA.exe

    • Size

      1.1MB

    • MD5

      481070cd319071d67812ffc598ebf3a6

    • SHA1

      8fd7e4efaca5aee63d72265d4373b1bf7bd9c4de

    • SHA256

      7570583507a88122beae60126d30e6ef9a0ecdf6d6e5cbfa5eadfbf2beea1f6f

    • SHA512

      dde0a9c0bf6314431d08cfb2c9bfa1a65e2c29a9f1a7d1fddff3c7db0451de7541bc586cf7bcca8347773f81847e0fb80b035d05944373060eb1b07edba76ca0

    • SSDEEP

      24576:wNA3R5drXwDhUSW6wJ3KKltLCco9ReqdfDeWH5AOPbZCw:p5WuJaKltWCqB5T

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks