General

  • Target

    f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c

  • Size

    43KB

  • Sample

    231124-hp5zhahd51

  • MD5

    21bc89b62236a92090a9b9732ce09b5e

  • SHA1

    c5f64406c8ebe694d853a867d32e0f0912f86272

  • SHA256

    f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c

  • SHA512

    4d56041226a4b14c94a9e05a4217e7dfff403c6b2c23f1067f0a7e6ed352477668594f74e9ddf3b86cd155c40939cb71002abc9c124fc73faa746dfc257bc1c3

  • SSDEEP

    96:jvZm8MrZx3iwSndBq4H5kdc6PkBNNlRGGadekHytUZfLJh6OZZR/YmWZrzNt:j4R1VXcM/G7qfLJh6OZ4mWD

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdg

C2

46.1.103.69:9371

Mutex

MicrosoftEdg

Attributes
  • delay

    3

  • install

    false

  • install_file

    MicrosoftEdge

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdge

C2

46.1.103.69:9371

Mutex

MicrosoftEdge

Attributes
  • delay

    3

  • install

    false

  • install_file

    MicrosoftEdge

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Winlogon

C2

46.1.103.69:2341

Mutex

Winlogon

Attributes
  • delay

    3

  • install

    false

  • install_file

    Winlogon

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c

    • Size

      43KB

    • MD5

      21bc89b62236a92090a9b9732ce09b5e

    • SHA1

      c5f64406c8ebe694d853a867d32e0f0912f86272

    • SHA256

      f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c

    • SHA512

      4d56041226a4b14c94a9e05a4217e7dfff403c6b2c23f1067f0a7e6ed352477668594f74e9ddf3b86cd155c40939cb71002abc9c124fc73faa746dfc257bc1c3

    • SSDEEP

      96:jvZm8MrZx3iwSndBq4H5kdc6PkBNNlRGGadekHytUZfLJh6OZZR/YmWZrzNt:j4R1VXcM/G7qfLJh6OZ4mWD

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks