Overview

overview

10

Static

static

3

39b4ae6d2b...97.exe

windows7-x64

10

39b4ae6d2b...97.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    39b4ae6d2b2e1e78ca2810e11220f4ab6c286b4bdefc3f973f29d9f1e79e6697

  • Size

    265KB

  • Sample

    240606-1jkqgscd3s

  • MD5

    63bd35baa3a20f242dfa666427468475

  • SHA1

    0c3761668cc64e0c20b21b33a9a27cae295f0859

  • SHA256

    39b4ae6d2b2e1e78ca2810e11220f4ab6c286b4bdefc3f973f29d9f1e79e6697

  • SHA512

    f24d35a9f045947e0e2d2422c49116288bfc5b574abb5e22dc2de0244c39bb158b8237f52dbf538ca608be8028284df85883edeb94eba535f0f89a9088945508

  • SSDEEP

    3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/sB:WFzDqa86hV6uRRqX1evPlwAEB

Score
10/10
asyncratpersistencerat

Malware Config

Targets

    • Target

      39b4ae6d2b2e1e78ca2810e11220f4ab6c286b4bdefc3f973f29d9f1e79e6697

    • Size

      265KB

    • MD5

      63bd35baa3a20f242dfa666427468475

    • SHA1

      0c3761668cc64e0c20b21b33a9a27cae295f0859

    • SHA256

      39b4ae6d2b2e1e78ca2810e11220f4ab6c286b4bdefc3f973f29d9f1e79e6697

    • SHA512

      f24d35a9f045947e0e2d2422c49116288bfc5b574abb5e22dc2de0244c39bb158b8237f52dbf538ca608be8028284df85883edeb94eba535f0f89a9088945508

    • SSDEEP

      3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/sB:WFzDqa86hV6uRRqX1evPlwAEB

    Score
    10/10
    asyncratpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables containing artifacts associated with disabling Widnows Defender

    • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

    • Detects file containing reversed ASEP Autorun registry keys

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks