General

  • Target

    Real Grabber AttemptX.exe

  • Size

    49KB

  • Sample

    230730-rm8r2she68

  • MD5

    c0f3be5eb43f4fc4cbbe6aea2e0cf60c

  • SHA1

    4c8405c753319c761d96829b97588dda7b3d60c9

  • SHA256

    04a255c99fa4ef127648d896641a42e7aaa7c3bcdbef9ab0410195ebabab7ddc

  • SHA512

    bc856e2c416294c4fc6f4e170eae3b2818ea344e578d60fae1299d25ebffc2fda4316040ec31fea3b33edd942c3d892cc55bf26c7018dc286219d9322f008395

  • SSDEEP

    1536:vuiD1TUKg2cwP66IoFblXSlEUhuV0dSEfE:vuixTUKg2cwPaoFblM9hBAWE

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

svhost

C2

5.tcp.eu.ngrok.io:4824

5.tcp.eu.ngrok.io:14829

Mutex

Discord Inc

Attributes
  • delay

    3

  • install

    true

  • install_file

    svhost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Real Grabber AttemptX.exe

    • Size

      49KB

    • MD5

      c0f3be5eb43f4fc4cbbe6aea2e0cf60c

    • SHA1

      4c8405c753319c761d96829b97588dda7b3d60c9

    • SHA256

      04a255c99fa4ef127648d896641a42e7aaa7c3bcdbef9ab0410195ebabab7ddc

    • SHA512

      bc856e2c416294c4fc6f4e170eae3b2818ea344e578d60fae1299d25ebffc2fda4316040ec31fea3b33edd942c3d892cc55bf26c7018dc286219d9322f008395

    • SSDEEP

      1536:vuiD1TUKg2cwP66IoFblXSlEUhuV0dSEfE:vuixTUKg2cwPaoFblM9hBAWE

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks