Overview

overview

10

Static

static

3

Leakcloud....er.zip

windows7-x64

1

Leakcloud....er.zip

windows10-2004-x64

1

Ionic.Zip.Reduced.dll

windows7-x64

1

Ionic.Zip.Reduced.dll

windows10-2004-x64

1

[Leakcloud...er.exe

windows7-x64

8

[Leakcloud...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Leakcloud.fun_Link_Skipper.zip

  • Size

    3.7MB

  • Sample

    240611-w5cvjswgne

  • MD5

    139b57ad667d4e50c91b09f5c98a5517

  • SHA1

    23ba0adcf907d49fdf060a3729995fe67cdc4b94

  • SHA256

    acc9169e89e48e648199c06809072a6802b3a49300721b885228c669b9777240

  • SHA512

    47798fd026eb4256b7021a53c938a511f6d8608021ed90df5e9eac80f42bb36c2167f52d81c9b54f4c91cd596b364e881b702712740051abd5e5c13a8d98f447

  • SSDEEP

    49152:uwPnmfJ4BaqTVtJf9DzZQCc9AbJucD3PAxGf6Sfl5y5FRW1JSY1CJ7t6+dK7DCMz:JvAebt9fOGfDlsJx6aGDQD+PXHwK

Score
10/10
asyncratlink skipper bexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

true

Botnet

Link Skipper B

Mutex

RRAT_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    powershell Add-MpPreference -ExclusionPath C:\

  • install_folder

    Explorer.exe

  • pastebin_config

    http://pastebin.com/raw/KKpnJShN

aes.plain

Targets

    • Target

      Leakcloud.fun_Link_Skipper.zip

    • Size

      3.7MB

    • MD5

      139b57ad667d4e50c91b09f5c98a5517

    • SHA1

      23ba0adcf907d49fdf060a3729995fe67cdc4b94

    • SHA256

      acc9169e89e48e648199c06809072a6802b3a49300721b885228c669b9777240

    • SHA512

      47798fd026eb4256b7021a53c938a511f6d8608021ed90df5e9eac80f42bb36c2167f52d81c9b54f4c91cd596b364e881b702712740051abd5e5c13a8d98f447

    • SSDEEP

      49152:uwPnmfJ4BaqTVtJf9DzZQCc9AbJucD3PAxGf6Sfl5y5FRW1JSY1CJ7t6+dK7DCMz:JvAebt9fOGfDlsJx6aGDQD+PXHwK

    Score
    1/10
    behavioral1behavioral2

    • Target

      Ionic.Zip.Reduced.dll

    • Size

      247KB

    • MD5

      7c359500407dd393a276010ab778d5af

    • SHA1

      4d63d669b73acaca3fc62ec263589acaaea91c0b

    • SHA256

      a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1

    • SHA512

      88a25138d0a491e5ee27499206e05b8c501da0c73ad2b3e23d70e810a09bfc1b701817de7f22c9f0b9f81f90235fe5eeadd112773035a11f01706eac364b34bc

    • SSDEEP

      3072:nrI52ReHNdAFnfPPShREuMPb9YlVVRxpop2i0KKCXrXSbS4KcMy8ZZL5QlcSCSLw:yNdA+Myl7TpNiWCL4EycZb4

    Score
    1/10
    behavioral3behavioral4

    • Target

      [Leakcloud.fun] Link Skipper.exe

    • Size

      523.0MB

    • MD5

      b928c8e9fbdea0d3d904df7a09955640

    • SHA1

      3caec7a61590a0287d2c350da8439cf977f3ab7a

    • SHA256

      1f1407140a7a550335d170429646438cef0d37ec51a6378ac08c132e9e7d8420

    • SHA512

      7627815855b32eec15e358246f2764b517790afb7bdac6ada17ec3184c96397248f1ce1150d3efe54f779f0e290bb2d03b6124a6c6df2dd2c7cfadc0138a627a

    • SSDEEP

      49152:XJED040Mm05vldXLyY4huQNuZo+rGlYnqRK7xPNH6Yjs1hm0zydRtmSH07JS44iE:XCX5soNvqRK7dqSdzmy4JMdaP67

    Score
    10/10
    executionasyncratlink skipper brat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks