General

  • Target

    a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff.zip

  • Size

    63.1MB

  • Sample

    240402-qhb2vabc65

  • MD5

    a3c9bd712dbfc7d32a72f3c18ef39742

  • SHA1

    10acba02e18819f8363a454c1540a1fdd1705de2

  • SHA256

    c4130272ae568854d135f55878fa1a40d8f659b0e48d570d1f0999f81548ed09

  • SHA512

    c8dca78e5ac4f916480afe6af3b247dd897555aaae560586e183ac8df0c9b06988bc51ac6f0ebab71775396a20f7a8bd85fb45a1150e9fdcd5983619e2c33032

  • SSDEEP

    786432:Y2oSmLnsGqlkaN6iVHDsb40Rcg8EMh8b04HiaiumvBiByxLsPrbw34tUytBl1lZ0:Y24MVnMSEMhm7iaixt4bwgUwlBWGXkUG

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Exodus_Market

C2

leetboy.dynuddns.net:1339

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchos.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

WDKILLER

C2

blue.o7lab.me:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff.exe

    • Size

      63.2MB

    • MD5

      0b459466e3619d2a29bb93ea2dac077a

    • SHA1

      b55a18a2d13589b81cae82c691d83e7961799d44

    • SHA256

      a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff

    • SHA512

      ab1bd6465ce9e956bf4d9576552ab85541a6b6595817ca68e651264630d728388938b8f0b85353e2278bbee73b6ca427027fdfc8e1fc041a19467b41d29f320c

    • SSDEEP

      1572864:iFffrC4ndj0tJT5vMiaUMeRBFGkdWEeJFj3w:gf24dj6T5TaUTBbdheXw

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks