General

  • Target

    2024-06-01_53b2f792d05e22cea3283bbfaa6bb085_megazord

  • Size

    3.4MB

  • Sample

    240601-a5brlacd56

  • MD5

    53b2f792d05e22cea3283bbfaa6bb085

  • SHA1

    94a409e9e4d53418d4674ca2aa05e7a4587ad633

  • SHA256

    8fe0f92974260cf06d5c6db3b5e94bba47e267889314360a086fa54812e7864f

  • SHA512

    e41909b79564bd715656b02ad9c07fe61c6a6c9a4520d3748db2317fc86cba314bd5268fb1bdcf8fad0f56a4efa31a37f814bc5d0fb6ccd0959e2e5a236067e6

  • SSDEEP

    49152:PXmM3+IVJiicn3HpKoQyvf7+rEgFhnNVlaTMuIt3jc:cdVjna38Yht3g

Malware Config

Extracted

Family

asyncrat

Version

2.0.0

Botnet

Default

C2

webwhatsapp.cc:65503

Mutex

ShiningForceRatMutex_cs_cs_cs

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      2024-06-01_53b2f792d05e22cea3283bbfaa6bb085_megazord

    • Size

      3.4MB

    • MD5

      53b2f792d05e22cea3283bbfaa6bb085

    • SHA1

      94a409e9e4d53418d4674ca2aa05e7a4587ad633

    • SHA256

      8fe0f92974260cf06d5c6db3b5e94bba47e267889314360a086fa54812e7864f

    • SHA512

      e41909b79564bd715656b02ad9c07fe61c6a6c9a4520d3748db2317fc86cba314bd5268fb1bdcf8fad0f56a4efa31a37f814bc5d0fb6ccd0959e2e5a236067e6

    • SSDEEP

      49152:PXmM3+IVJiicn3HpKoQyvf7+rEgFhnNVlaTMuIt3jc:cdVjna38Yht3g

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • UAC bypass

    • Detects executables attemping to enumerate video devices using WMI

    • Detects executables containing the string DcRatBy

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Discovery

System Information Discovery

1
T1082

Tasks