General

  • Target

    test.exe

  • Size

    63KB

  • Sample

    240102-m4wrlaeehm

  • MD5

    dbae7f28a979f484c12c8c92296cd395

  • SHA1

    6df8059bf64596a7c3b143e236f28cab457cbf5b

  • SHA256

    fe404c8344b09746442737bcc3ea63ec8bb38a6d96d3d549aafbcb5428efae7b

  • SHA512

    468e5b3e919272657437116474935c925db1970db5483bdd88b049abd955be12163e32a89ed3cbe3ed5d7932cafe66cdb18718914677e1744f7299c040302703

  • SSDEEP

    768:iil3pYNlrm78RIC8A+XjOpeyr61urX1+T4uoSBGHmDbDTph0oX/jES4ryYSu4dph:Dyr0In0tYUbJh9/jgau4dpqKmY7

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

146.70.129.19:38371

Mutex

RDKMYv迪ΔW艾RΗxC伊1Yd伊רE6L

Attributes
  • delay

    1

  • install

    true

  • install_file

    kokot.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      test.exe

    • Size

      63KB

    • MD5

      dbae7f28a979f484c12c8c92296cd395

    • SHA1

      6df8059bf64596a7c3b143e236f28cab457cbf5b

    • SHA256

      fe404c8344b09746442737bcc3ea63ec8bb38a6d96d3d549aafbcb5428efae7b

    • SHA512

      468e5b3e919272657437116474935c925db1970db5483bdd88b049abd955be12163e32a89ed3cbe3ed5d7932cafe66cdb18718914677e1744f7299c040302703

    • SSDEEP

      768:iil3pYNlrm78RIC8A+XjOpeyr61urX1+T4uoSBGHmDbDTph0oX/jES4ryYSu4dph:Dyr0In0tYUbJh9/jgau4dpqKmY7

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Modifies Windows Defender Real-time Protection settings

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • Async RAT payload

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Renames multiple (3150) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks