General

  • Target

    DisableWinDefender-main.zip

  • Size

    1.6MB

  • Sample

    240623-bnb7gaxeql

  • MD5

    6b937fdb70fb65ee51e5f1dc19c6dc8a

  • SHA1

    a91b7def79b3425d1d0ec8555ad463237537e392

  • SHA256

    4222aeb120db93448bf5dfe1356523951c95f14ea038ac1076973d8997c7e0eb

  • SHA512

    cd10d5698e7c8cab2fe967c20c2d4192620eedda64549892130d13620984b29e81c2aa078e7fc6e29178680dfea28f0d2163d95fb954ff50291286a2e2bde5f2

  • SSDEEP

    24576:hHQzyImz3rzA80r8y10zLf6gvS82rt2JzgbltJPRaXDbfDKafuwAQ/MemrYrf/4:hHQGIkzA80r83LV7ebltJP4bPEb

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

lazuraa.ddns.net:888

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Runtime Broker.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Targets

    • Target

      DisableWinDefender-main/DisableWinDerfender.exe

    • Size

      1.6MB

    • MD5

      56bb3b4f841eaf71d47b1afd9a1c2dd4

    • SHA1

      e75579243d48d43bc945ccd7032022ba015df0fd

    • SHA256

      0e5949c7742e2ea76adfce592a40a11bf0c80837ebbfd978424ab2eab59e19ac

    • SHA512

      a7125443c57f54584646e0e99069c92a312b3f5285e8acbee4c64a0efc604298b3c8d67e5cecd33ee4df7301152b831708ce57fa54ee51e47f9646348e44d7b3

    • SSDEEP

      24576:B0ro3iSgD3TxIIQrQgZ0pjfuy32MmVd233gBxhJ/RQXRbPXoer8QAYlM+m/YXf:SroySuxIIQrQPjNrmBxhJ/Ybji

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Discovery

System Information Discovery

1
T1082

Tasks