General

  • Target

    Hidden-Malware-BuilderV5-main.zip

  • Size

    2.6MB

  • Sample

    240530-qt7mwsac7v

  • MD5

    d3de7ff429c8d05cb7ff4b1941d8bb0a

  • SHA1

    e70963f512a73ad46a0be2ec31e6e7d30fe6365b

  • SHA256

    60d598cba87775c68774967bfeeebc98cc01315f294872e417cccdd3e5c869ed

  • SHA512

    1f3035dc16c66b7e97ffd01f0cfe02ee0c466d74e4aebe7dfa9978d6a310cef564e29d8237710dd5d539ace0e86828c6219f7f432515ceb49a9ff08f414d23c8

  • SSDEEP

    49152:xeCBCiv3I9yUfFH9Py82t+OfzfSQSCaP52pNI7RnIWUMskmkekgVZmQC1kzcLbE8:pBCUY9rF5OfTdnaxwN+RnIWs2eOQYYc3

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://github.com/MalwareTeam/SecurityHealthService/raw/main/SecurityHealthService.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

bay-helps.gl.at.ply.gg:36538

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Hidden-Malware-BuilderV5-main/H-Malware Builder V5.exe

    • Size

      407KB

    • MD5

      c8f6d76b4ae82978272bde392561c4f4

    • SHA1

      80447d36fcf88cc9caa806db53e22d9468cc31ee

    • SHA256

      c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e

    • SHA512

      10fa87f050a9ceb658e443317158ef8b1dbaa9e183ec61b5e5e42adb562f7918d996134aba7f0bbad852def4d6b0824c7b9716628b554194d0fd95974de6b2ad

    • SSDEEP

      12288:r5p4UNBN3aqeKNoRfwoZrHMBV9EwEcb8+DvtuWUb:r9N3aqPCRooZwBjEhcYcvYWUb

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks