Overview

overview

10

Static

static

3

09717399.exe

windows7-x64

10

09717399.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    09717399.exe

  • Size

    48.7MB

  • Sample

    230609-h4xxfabd53

  • MD5

    33ce5b0d118abf329444aef57dbe7eb6

  • SHA1

    7a6ef6db2411546257b477c8e86d7cf1958a090e

  • SHA256

    069e0cb4a7fcf627459696e4257f4b471eee3a863a477e4ce0bb74ac9830e671

  • SHA512

    1ddc7bc7e107f99f1298e556b837b1024532d08cb312ec7284a3cd67f43c2823a73d00a92ce67711818fc9117a8c84953a927170f8d9d8a89e448334608bf924

  • SSDEEP

    786432:9G+SChsSUN7Wrwx3VyOdSgffEFZBTK1jCeb39z/MkJk+cP3l/hnp/2yahNNkuPtH:9SRSJrk38CVEWjNb39gki/R/2JhlFCwx

Score
10/10
asyncratdcratevasioninfostealerrattrojan

Malware Config

Targets

    • Target

      09717399.exe

    • Size

      48.7MB

    • MD5

      33ce5b0d118abf329444aef57dbe7eb6

    • SHA1

      7a6ef6db2411546257b477c8e86d7cf1958a090e

    • SHA256

      069e0cb4a7fcf627459696e4257f4b471eee3a863a477e4ce0bb74ac9830e671

    • SHA512

      1ddc7bc7e107f99f1298e556b837b1024532d08cb312ec7284a3cd67f43c2823a73d00a92ce67711818fc9117a8c84953a927170f8d9d8a89e448334608bf924

    • SSDEEP

      786432:9G+SChsSUN7Wrwx3VyOdSgffEFZBTK1jCeb39z/MkJk+cP3l/hnp/2yahNNkuPtH:9SRSJrk38CVEWjNb39gki/R/2JhlFCwx

    Score
    10/10
    asyncratdcratevasioninfostealerrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Async RAT payload

      rat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks