General

  • Target

    18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

  • Size

    5KB

  • Sample

    231124-hp5nqsgc95

  • MD5

    a25afcfcab5014e3b1c1d00be2ed1c98

  • SHA1

    33b01c0c85791e70deab178c307b976856a53f17

  • SHA256

    18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

  • SHA512

    2a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e

  • SSDEEP

    96:679SSCFyRr8n5NzVTq48w/rt4x1d3oj8rl:c9SZFm85NzVTT8w/rU1dV

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdge

C2

46.1.103.69:9371

Mutex

MicrosoftEdge

Attributes
  • delay

    3

  • install

    false

  • install_file

    MicrosoftEdge

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

    • Size

      5KB

    • MD5

      a25afcfcab5014e3b1c1d00be2ed1c98

    • SHA1

      33b01c0c85791e70deab178c307b976856a53f17

    • SHA256

      18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

    • SHA512

      2a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e

    • SSDEEP

      96:679SSCFyRr8n5NzVTq48w/rt4x1d3oj8rl:c9SZFm85NzVTT8w/rU1dV

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks