General

  • Target

    8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe

  • Size

    2.7MB

  • Sample

    240601-e3h54shh8s

  • MD5

    8d7e75a6cff8af7fceb924ec1efc4260

  • SHA1

    5c664cd5587274b66a17d2de857d682235a37325

  • SHA256

    2c29e92bc8fe517a2f687eb0ac03bf711b74414cfa41998fb6d0b1f65929bca8

  • SHA512

    1b15727afb60b85b17c11edefb08703499b340ec84271317c2d0b06d4429b853693af191d87fd5fa5b20e317e81e85a14acf17a02577b9bb83b5727fb1ecf48e

  • SSDEEP

    49152:STMGWKyMlF3c+pUr+zEGH9a6Q0uBA6Mws+wHOE8HRWxZqb:SkKy4PUr+A8YBA6JwH78YxZqb

Malware Config

Extracted

Family

asyncrat

Version

1.0.0

Botnet

Default

C2

149.28.150.93:62940

149.28.150.93:54956

149.28.150.93:3299

149.28.150.93:9203

Mutex

DefaultMutex

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe

    • Size

      2.7MB

    • MD5

      8d7e75a6cff8af7fceb924ec1efc4260

    • SHA1

      5c664cd5587274b66a17d2de857d682235a37325

    • SHA256

      2c29e92bc8fe517a2f687eb0ac03bf711b74414cfa41998fb6d0b1f65929bca8

    • SHA512

      1b15727afb60b85b17c11edefb08703499b340ec84271317c2d0b06d4429b853693af191d87fd5fa5b20e317e81e85a14acf17a02577b9bb83b5727fb1ecf48e

    • SSDEEP

      49152:STMGWKyMlF3c+pUr+zEGH9a6Q0uBA6Mws+wHOE8HRWxZqb:SkKy4PUr+A8YBA6JwH78YxZqb

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Discovery

Process Discovery

1
T1057

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks