Overview

overview

10

Static

static

6

1099Misc.pdf

windows10-1703-x64

1

2023-FILES...DF.exe

windows10-1703-x64

10

msimg32.dll

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.zip

  • Size

    115.7MB

  • Sample

    240523-pzezdsae7w

  • MD5

    e7203ee825209d06d3373d887b48d18c

  • SHA1

    c97e03c52212c8babead7ce7cbcb1380d9e19714

  • SHA256

    7fdd7e02c94fd64e1a19e51f03dd0819b23437711690882d5ca765997f2447e7

  • SHA512

    deef3ef7a5880b96d7f31156e61ad0e73be464e417a1d31f7c164629b3f586acd45041c408796fce1734bec73053214aa056670fd2fcfd278685b1726b28ba36

  • SSDEEP

    3145728:T3HdM43C3oYCqqAdLnV49lBTZITHAgKQtLGxzAfvDGOHaY1Ebs5cg6CKjN+:b5i/IbicUiN+

Score
10/10
asyncratcpaevasionpdfpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

CPA

C2

5.253.84.218:54657

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      1099Misc.inf

    • Size

      220.0MB

    • MD5

      65062141a5aa00068b12b74a85d67b41

    • SHA1

      5ba2d2c53978b4de3a123d79fa3ed60e93d86a48

    • SHA256

      133be53c484a7d2f18f7919a393b60f4276f7900417bcd7bfecdbe977e750fb4

    • SHA512

      d9bdde0c7293acbdf4410b454cfd9a1ed6d645b69a108d88292cc3008d42909934d269d03c94d06e4868b1b2d0c6b0a260a3dfaacca9338e227452c307998231

    • SSDEEP

      3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWp:

    Score
    1/10
    behavioral1

    • Target

      2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe

    • Size

      6.1MB

    • MD5

      4864a55cff27f686023456a22371e790

    • SHA1

      6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

    • SHA256

      08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

    • SHA512

      4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

    • SSDEEP

      98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

    Score
    10/10
    asyncratcpapersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      msimg32.dll

    • Size

      44.7MB

    • MD5

      ce551ef0eead129588bd522b032329a6

    • SHA1

      af451cb0e8bd8a72e16df7c861a47389d060fec9

    • SHA256

      e9a221f17124d3472c612e242f39b28106ea0391774a9a8c394040af34e3920a

    • SHA512

      112ab3d2d1c437e127876d87c074aebe8081503f327816d00453799b1e5307b1163f7de52324ee4e8b195db7ae1f0930677d9d5e984d16532895ed8d88c31ba1

    • SSDEEP

      786432:wUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpc1:wUP7GCG6iSrkx1hSzYsHQD3t/RO1

    Score
    10/10
    asyncratcpapersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks