asyncrat | einladen[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

einladen.zip
Size

3.7MB
MD5

90a735776390749af61eff3b75335535
SHA1

512cacfe356a75ff3ca075d7bb06262335e8b4ad
SHA256

e443ab70ff3e4c6a296bbfda092423005ffb3c011d1a0ab21a3cc9a49842c455
SHA512

0d6d01f3196b91928051f6716f8b2313c88f03080f2d7b10f16bd5f91473fe8881c3e61094dcf26e1b134609a9a593ab74dc59e50abb4e2c498a13750591666d
SSDEEP

49152:NQLPaUyrMv8Q6aPn5AORMRBKzCzwJLbPb3V/KkhsbTLvX+HUNgLhqId:NQL4r65rRMIgQbPJT2PL/wUsqId

Score

10^/10

rat default asyncrat

Malware Config

Extracted

Family

asyncrat

Version

false

Botnet

Default

Mutex

test

Attributes

delay
3
install
false
install_file
Apple-iTunes.exe
install_folder
%AppData%

aes.plain

Signatures

Async RAT payload 1 IoCs

rat

resource	yara_rule
static1/unpack001/EmpireClient.exe	asyncrat

Asyncrat family
asyncrat

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/AppVIsvSubsystems64.dll
unpack001/EmpireClient.exe
unpack001/mso.dll

Files

einladen.zip
.zip

Password: hacktheblue
AppVIsvSubsystems64.dll
.dll windows:6 windows x64 arch:x64

Password: hacktheblue

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Exports

Exports

APIExportForDetours
CurrentThreadIsVirtualized
IsProcessHooked
RequestUnhookedFunctionList
VirtualizeCurrentProcess
VirtualizeCurrentThread

Sections

.text
Size: 512B - Virtual size: 19B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 496B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
EmpireClient.exe
.exe windows:4 windows x86 arch:x86

Password: hacktheblue

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 58KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Invitation.pdf
.pdf

Password: hacktheblue
Invitation_Farewell_DE_EMB.hta
.html
Invitation_Farewell_DE_EMB.zip
.zip

Password: hacktheblue
Invitation_Farewell_DE_EMB.hta
.html
Logfile.PML
downloader.html
.html
mso.dll
.dll windows:4 windows x64 arch:x64

Password: hacktheblue

02faad3c3df6356cd474d41e3fc7d72c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

GetUserNameA

kernel32

CreateToolhelp32Snapshot
DeleteCriticalSection
EnterCriticalSection
GetComputerNameExA
GetLastError
GetModuleHandleW
GetProcAddress
GetProcessHeap
HeapAlloc
HeapFree
InitializeCriticalSection
LeaveCriticalSection
MultiByteToWideChar
Process32First
Process32Next
Sleep
TlsGetValue
VirtualProtect
VirtualQuery

msvcrt

__iob_func
_amsg_exit
_errno
_initterm
_lock
_unlock
_vscprintf
_vsnprintf
abort
calloc
free
fwrite
realloc
strchr
strcmp
strlen
strncmp
strrchr
vfprintf

shell32

ShellExecuteA

Exports

Exports

CommandLineToArgvWTT

Sections

.text
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 63KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 79B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
msoev.exe
.exe windows:6 windows x64 arch:x64

Password: hacktheblue

Code Sign

33:00:00:05:00:27:d6:32:6f:43:73:7b:87:00:00:00:00:05:00
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/02/2023, 20:11

Not After

31/01/2024, 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:03:3e:63:3a:86:bf:41:73:d7:e0:00:00:00:00:03:3e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/02/2023, 20:10

Not After

31/01/2024, 20:10

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b0:5b:f4:78:6a:17:fb:32:41:b1:d7:86:aa:b1:cd:3d:8f:5d:b2:25:5b:58:eb:92:e9:0d:9d:c1:a0:3a:c6:92
Signer

Actual PE Digest

b0:5b:f4:78:6a:17:fb:32:41:b1:d7:86:aa:b1:cd:3d:8f:5d:b2:25:5b:58:eb:92:e9:0d:9d:c1:a0:3a:c6:92

Digest Algorithm

sha256

PE Digest Matches

true

b0:5b:f4:78:6a:17:fb:32:41:b1:d7:86:aa:b1:cd:3d:8f:5d:b2:25:5b:58:eb:92:e9:0d:9d:c1:a0:3a:c6:92
Signer

Actual PE Digest

b0:5b:f4:78:6a:17:fb:32:41:b1:d7:86:aa:b1:cd:3d:8f:5d:b2:25:5b:58:eb:92:e9:0d:9d:c1:a0:3a:c6:92

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 816B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.c2r
Size: 512B - Virtual size: 316B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
msoev.pcapng
sheet.hta
.html .js polyglot
unc.js

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: hacktheblue

Password: hacktheblue

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

.text Size: 512B - Virtual size: 19B

.rdata Size: 512B - Virtual size: 496B

.rsrc Size: 512B - Virtual size: 480B

Password: hacktheblue

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 58KB - Virtual size: 58KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: hacktheblue

Password: hacktheblue

Password: hacktheblue

02faad3c3df6356cd474d41e3fc7d72c

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

shell32

Exports

Exports

Sections

.text Size: 21KB - Virtual size: 21KB

.data Size: 512B - Virtual size: 176B

.rdata Size: 2KB - Virtual size: 1KB

.pdata Size: 2KB - Virtual size: 1KB

.xdata Size: 1KB - Virtual size: 1KB

.bss Size: - Virtual size: 63KB

.edata Size: 512B - Virtual size: 79B

.idata Size: 2KB - Virtual size: 1KB

.CRT Size: 512B - Virtual size: 88B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 512B - Virtual size: 100B

Password: hacktheblue

Code Sign

33:00:00:05:00:27:d6:32:6f:43:73:7b:87:00:00:00:00:05:00Certificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

33:00:00:03:3e:63:3a:86:bf:41:73:d7:e0:00:00:00:00:03:3eCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

b0:5b:f4:78:6a:17:fb:32:41:b1:d7:86:aa:b1:cd:3d:8f:5d:b2:25:5b:58:eb:92:e9:0d:9d:c1:a0:3a:c6:92Signer

b0:5b:f4:78:6a:17:fb:32:41:b1:d7:86:aa:b1:cd:3d:8f:5d:b2:25:5b:58:eb:92:e9:0d:9d:c1:a0:3a:c6:92Signer

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 9KB - Virtual size: 8KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 1024B - Virtual size: 816B

.didat Size: 512B - Virtual size: 152B

.c2r Size: 512B - Virtual size: 316B

.rsrc Size: 15KB - Virtual size: 14KB

.reloc Size: 512B - Virtual size: 256B

.text
Size: 512B - Virtual size: 19B

.rdata
Size: 512B - Virtual size: 496B

.rsrc
Size: 512B - Virtual size: 480B

.text
Size: 58KB - Virtual size: 58KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 21KB - Virtual size: 21KB

.data
Size: 512B - Virtual size: 176B

.rdata
Size: 2KB - Virtual size: 1KB

.pdata
Size: 2KB - Virtual size: 1KB

.xdata
Size: 1KB - Virtual size: 1KB

.bss
Size: - Virtual size: 63KB

.edata
Size: 512B - Virtual size: 79B

.idata
Size: 2KB - Virtual size: 1KB

.CRT
Size: 512B - Virtual size: 88B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 512B - Virtual size: 100B

33:00:00:05:00:27:d6:32:6f:43:73:7b:87:00:00:00:00:05:00
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

33:00:00:03:3e:63:3a:86:bf:41:73:d7:e0:00:00:00:00:03:3e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

b0:5b:f4:78:6a:17:fb:32:41:b1:d7:86:aa:b1:cd:3d:8f:5d:b2:25:5b:58:eb:92:e9:0d:9d:c1:a0:3a:c6:92
Signer

b0:5b:f4:78:6a:17:fb:32:41:b1:d7:86:aa:b1:cd:3d:8f:5d:b2:25:5b:58:eb:92:e9:0d:9d:c1:a0:3a:c6:92
Signer

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 9KB - Virtual size: 8KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 1024B - Virtual size: 816B

.didat
Size: 512B - Virtual size: 152B

.c2r
Size: 512B - Virtual size: 316B

.rsrc
Size: 15KB - Virtual size: 14KB

.reloc
Size: 512B - Virtual size: 256B