User tags

Assigned on submission by the user, not by sandbox detections.

Threatview.io Proactive Hunter

General

  • Target

    degrado-lavacrypt-dfgs.exe

  • Size

    426KB

  • Sample

    240425-gecdrsgc8x

  • MD5

    7d5053287343d71bf9e3b913d4e4e551

  • SHA1

    822191da126f6d18cbc110e02473afb0528751bd

  • SHA256

    48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1

  • SHA512

    801a414806c2ff4a8db764dd4d1fa9b2ad06ac7976fd5a98079362c33583dce246f95dd76427f911d0674d07d3ebd26085773653ca52ba779e2707f202428bd3

  • SSDEEP

    12288:qoE0Q+9PzNEAVTH2BKlYZQ/yKrFvM/2SwJ:F1L9zLLCKlAQqEva25

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

BSOD_New

Mutex

Mika

Attributes
  • delay

    1

  • install

    false

  • install_file

    UpdateTaskMachineUa.bat.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/F7c4dqk3

aes.plain

Targets

    • Target

      degrado-lavacrypt-dfgs.exe

    • Size

      426KB

    • MD5

      7d5053287343d71bf9e3b913d4e4e551

    • SHA1

      822191da126f6d18cbc110e02473afb0528751bd

    • SHA256

      48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1

    • SHA512

      801a414806c2ff4a8db764dd4d1fa9b2ad06ac7976fd5a98079362c33583dce246f95dd76427f911d0674d07d3ebd26085773653ca52ba779e2707f202428bd3

    • SSDEEP

      12288:qoE0Q+9PzNEAVTH2BKlYZQ/yKrFvM/2SwJ:F1L9zLLCKlAQqEva25

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks