General

  • Target

    DLL Injector Resou_nls..scr.exe

  • Size

    571KB

  • Sample

    231123-yjne9sbg87

  • MD5

    f1bc7841474849a77e8e0b2e507f2ac7

  • SHA1

    eea072584a9227f763d15d784eb52c64453c9505

  • SHA256

    3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74

  • SHA512

    e9d342ea6620fc1b69868d5b503363a685a50e7184ba28c310f9648b85ebbb3684eb5be08ff5dd678e1026499fe2c562eb45b0c28228e96b7746553f6a1d12b7

  • SSDEEP

    12288:C7oVrmFrSStI0kPUjGn61DfVwZ3pSOPXb2c1wxC3Si+hjTO6HH:3i/i4Jt9wZ3/bTwxQgVTOOH

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdg

C2

46.1.103.69:9371

Mutex

MicrosoftEdg

Attributes
  • delay

    3

  • install

    false

  • install_file

    MicrosoftEdge

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdge

C2

46.1.103.69:9371

Mutex

MicrosoftEdge

Attributes
  • delay

    3

  • install

    false

  • install_file

    MicrosoftEdge

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Winlogon

C2

46.1.103.69:2341

Mutex

Winlogon

Attributes
  • delay

    3

  • install

    false

  • install_file

    Winlogon

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      DLL Injector Resou_nls..scr.exe

    • Size

      571KB

    • MD5

      f1bc7841474849a77e8e0b2e507f2ac7

    • SHA1

      eea072584a9227f763d15d784eb52c64453c9505

    • SHA256

      3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74

    • SHA512

      e9d342ea6620fc1b69868d5b503363a685a50e7184ba28c310f9648b85ebbb3684eb5be08ff5dd678e1026499fe2c562eb45b0c28228e96b7746553f6a1d12b7

    • SSDEEP

      12288:C7oVrmFrSStI0kPUjGn61DfVwZ3pSOPXb2c1wxC3Si+hjTO6HH:3i/i4Jt9wZ3/bTwxQgVTOOH

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks