Resubmissions

25-06-2024 00:41

240625-a1q1qa1bqa 10

25-06-2024 00:33

240625-awg71szhpc 10

General

  • Target

    RobloxPlayerInstaller (5).exe

  • Size

    176KB

  • Sample

    240625-a1q1qa1bqa

  • MD5

    b0c9e6677fecf10fc3f0ce262a1ad331

  • SHA1

    d45c158a7685f37b0aa862c7fa898ec9cedf02c3

  • SHA256

    bfe077d8ac72747c71c4983541bfb6b776799512b375eed68821f2e39bd175a7

  • SHA512

    d0f53afcfdaf5732a135b2f86de15bf10a400432d65203529f326976415f0d0ab42b63b062037217dfafa456a367d043a16db67a82f8798adaf492f6d659d2ed

  • SSDEEP

    3072:MRq9GPmn8jbK55fWgQoq/FfmDo7VHkkkkkkkkkkkkkkkkkakkRkkAjiAL+dU6VD6:voPA8jbEl5idPxHkkkkkkkkkkkkkkkkT

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:80

127.0.0.1:21434

mcdonaldsincorp-21434.portmap.host:80

mcdonaldsincorp-21434.portmap.host:21434

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    RobloxPlayerBeta.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      RobloxPlayerInstaller (5).exe

    • Size

      176KB

    • MD5

      b0c9e6677fecf10fc3f0ce262a1ad331

    • SHA1

      d45c158a7685f37b0aa862c7fa898ec9cedf02c3

    • SHA256

      bfe077d8ac72747c71c4983541bfb6b776799512b375eed68821f2e39bd175a7

    • SHA512

      d0f53afcfdaf5732a135b2f86de15bf10a400432d65203529f326976415f0d0ab42b63b062037217dfafa456a367d043a16db67a82f8798adaf492f6d659d2ed

    • SSDEEP

      3072:MRq9GPmn8jbK55fWgQoq/FfmDo7VHkkkkkkkkkkkkkkkkkakkRkkAjiAL+dU6VD6:voPA8jbEl5idPxHkkkkkkkkkkkkkkkkT

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Tasks