Overview

overview

10

Static

static

3

final2.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    final2.EXE

  • Size

    31.4MB

  • Sample

    240528-taflvaag91

  • MD5

    5ef5f3ba516eb07f97a9d6b45d4eb963

  • SHA1

    cd02235b4462f408d3477226b279ffb997dccb31

  • SHA256

    6edfa70a7cd1bde8485868cafb2593fe5bb92a1bac38c5aac3cba2b6a39e0e1c

  • SHA512

    3fb72042e6532e63280d59abfa775dbecc6e93ca2fb8f457ff87efdd5ac05342230892533e593319a8bcc6889766c16efd82b8a209e1dc8ec3f8b202582871ca

  • SSDEEP

    786432:srk0h2xZlpTWI2gwkYuKuwE0AsSOsUJJyt5iY/G:s5wxZnTZlwkVKuwErFUm

Score
10/10
asyncratdefaultpersistencepyinstallerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

91.92.241.69:5555

Mutex

WZl6sjIAcmXI

Attributes
  • delay

    3

  • install

    true

  • install_file

    AMD Update Manager.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      final2.EXE

    • Size

      31.4MB

    • MD5

      5ef5f3ba516eb07f97a9d6b45d4eb963

    • SHA1

      cd02235b4462f408d3477226b279ffb997dccb31

    • SHA256

      6edfa70a7cd1bde8485868cafb2593fe5bb92a1bac38c5aac3cba2b6a39e0e1c

    • SHA512

      3fb72042e6532e63280d59abfa775dbecc6e93ca2fb8f457ff87efdd5ac05342230892533e593319a8bcc6889766c16efd82b8a209e1dc8ec3f8b202582871ca

    • SSDEEP

      786432:srk0h2xZlpTWI2gwkYuKuwE0AsSOsUJJyt5iY/G:s5wxZnTZlwkVKuwErFUm

    Score
    10/10
    asyncratdefaultpersistencepyinstallerratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks