Overview

overview

10

Static

static

1

DNTTJVXKZL...QE.bat

windows7-x64

7

DNTTJVXKZL...QE.bat

windows10-2004-x64

7

DNTTJVXKZL...QE.ps1

windows7-x64

1

DNTTJVXKZL...QE.ps1

windows10-2004-x64

1

DNTTJVXKZL...QE.vbs

windows7-x64

10

DNTTJVXKZL...QE.vbs

windows10-2004-x64

10

FFBLHLNEHN...AY.ps1

windows7-x64

1

FFBLHLNEHN...AY.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    File.zip

  • Size

    244KB

  • Sample

    231206-k7m8hsdc25

  • MD5

    dcefc2402eaf43b7022fc871ac9d876a

  • SHA1

    4584a21898055e7f43d3878aa78fca142bfb26da

  • SHA256

    57644f7c11a9800bc862bbcdf1709c65894307f050ffe1d7f8e854d783628c43

  • SHA512

    adaeb63586ba6606740103fbd1e8eefe004d1381bbe691e1abdbe4a6090e0df3146691f90f2fd15abc59c10ea87042eea385dd610e96c3e62fb6bf35b25523a5

  • SSDEEP

    6144:DTNPnfkGrPi24mJsqRAH0L/IL35lmA8A0FoVH7Yj8X9eSuEAfKIDe:FPfnji2TJsqrI3PmtA0FoVH7YAeS3Y2

Score
10/10
asyncrat1stpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

| Cracked Jokamer & Jok7oda

Botnet

1st

C2

cryptojoke.con-ip.com:4444

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      DNTTJVXKZLJCCXFODKZSQE.bat

    • Size

      642B

    • MD5

      908fa5903600411bd9d1a4d1a31f21d9

    • SHA1

      27cebf3de5af7e5df34517e1ea99fb39f0482d60

    • SHA256

      3323f1d80a4bd01c95344439789b08b913eb16c5c5747471f84b57ce091a929a

    • SHA512

      fd7d4d1d5da68767d954cd1b5bf502df89f869a63972ad32ec643f25f28e324803269d612bc33fc705e82637bf2fcfceaac71684d5369669a227fb7cd4cd00a0

    Score
    7/10
    persistence
    behavioral1behavioral2

    • Target

      DNTTJVXKZLJCCXFODKZSQE.ps1

    • Size

      3KB

    • MD5

      e051694e565da8588b13991238e33a99

    • SHA1

      58d95f665138830d3a9eb4486a7c68ee09aa5ae3

    • SHA256

      b62afb5df50db05a0c7745c977c30edcda0eb6ef69244101958c93438128b913

    • SHA512

      df1d5a40870660517e0f277e9e3df30051394bb39a39d2ee9ff3dfe36842d943df949539d958e76d848f251fabb3102a9d5ce95d944716f67ff9bebe423e1b68

    Score
    1/10
    behavioral3behavioral4

    • Target

      DNTTJVXKZLJCCXFODKZSQE.vbs

    • Size

      1KB

    • MD5

      6ee90b3ed21b56b06f723c0c0cd7e314

    • SHA1

      07aa736da386b2c0e10e6391be422026ccc1757f

    • SHA256

      3259db8c427af2468418420eb5d42102dae8d422b370ebef742da144a01310e2

    • SHA512

      92f4b866c25176b502fac7d572d1cd48bfe801fce6efd2e2f3d7846229407efa0ed3a697b8825659e3e17fda73d5cf02114920cafa9399b0ac8e79087b15a3b1

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      FFBLHLNEHNCWJTCUUBSRAY.ps1

    • Size

      668KB

    • MD5

      c272efe749093b19bdcbdc6feecfe88c

    • SHA1

      7f199099be439dd71caf4aad8cc01ec1cf73aa3c

    • SHA256

      1e7ca2a3abd1a747acfaef416b940c59a5854da057498bf3ae41b31e896b6642

    • SHA512

      9d4a0817c3ba4aec2e39c0763fcf69d54d59f7405e5519b4034ac80ec6e630baa954718c582f8a2be71a902cc78de7c447308720ef8fe64c821a23efd5d2772c

    • SSDEEP

      1536:gAWW+4VTv5WUr5pDGo3nWmTLbdshmPzkromACMyZCh6Tpdf9vWqDrh0uwqwT35Sk:B

    Score
    10/10
    asyncrat1strat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks