General

  • Target

    61d83cd9dcb9599726ac8a7237854537.bin

  • Size

    522KB

  • Sample

    240623-cf82xavhjd

  • MD5

    70c0663948580ee7db444f752c57e1c8

  • SHA1

    bfc2d5bb7da450dd3d3289174bb191c62c2f7d4a

  • SHA256

    24a006bc41d2080dd8c5c582ca2e3994a29147b6e14a02c47ea870720dc9e844

  • SHA512

    dbf90f885523ae6607ba1b36f6c68056c591cc720b58987cbe2a6aa3b4c4b72cb3fbc9670b13c8a97a027c80543b95252475db0abf95a488add9b820fe654d60

  • SSDEEP

    12288:KUmQUSYCnXbDjS+cz6+2Zut0zuWJMIGcihkx5R/pd:DUlCXb/S+cz6+t0jJMIGwRd

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

zaragoza.ddns.net:5480

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    fwqoouQWEGr.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      d862de550b07302770f3b05b441c57c75dff0425fe41b7981ecff7386049e24b.exe

    • Size

      700KB

    • MD5

      61d83cd9dcb9599726ac8a7237854537

    • SHA1

      962d76027061ed0e1fc13df2235f2d17a441b591

    • SHA256

      d862de550b07302770f3b05b441c57c75dff0425fe41b7981ecff7386049e24b

    • SHA512

      381c34cac16f20293c9c74a802043d2f6b231e2556a0af2e56f86ce94ffa4abb1a10ad51a1bb8a5de69e71aad5c551a95735e153296beb946b7cdac4fe092bd5

    • SSDEEP

      12288:ceSB3+wgWlty8g1DI+VZG1SWSRezMRFLrdcdMANPKKvkR:ceSZgWl8X1DIgG1lSPRLWMANpq

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks