Overview

overview

10

Static

static

10

Infected.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Infected.exe

  • Size

    63KB

  • Sample

    240626-b76kesxdpe

  • MD5

    8406bf53e6f2457c5fffb895943b04c1

  • SHA1

    c496e3ab44710259f5d9a5153d4471c2cfc6184f

  • SHA256

    a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82

  • SHA512

    77e81537492c79e62ef92d199f8db61b43f15d3c192472a908f798f10e480434eb14f96e850dc5d4302311bd28895fe862078e0f357ef06d5880e8e1f2d730d5

  • SSDEEP

    768:jnuguX1wbgyX78dIC8A+XkuazcBRL5JTk1+T4KSBGHmDbD/ph0oXXOP+5Y/9rWS3:rvCCPTDdSJYUbdh9em5Y/7uEdpqKmY7

Score
10/10
asyncratstealeriumdefaultcollectionexecutionpersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

147.185.221.20:36797

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Infected.exe

    • Size

      63KB

    • MD5

      8406bf53e6f2457c5fffb895943b04c1

    • SHA1

      c496e3ab44710259f5d9a5153d4471c2cfc6184f

    • SHA256

      a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82

    • SHA512

      77e81537492c79e62ef92d199f8db61b43f15d3c192472a908f798f10e480434eb14f96e850dc5d4302311bd28895fe862078e0f357ef06d5880e8e1f2d730d5

    • SSDEEP

      768:jnuguX1wbgyX78dIC8A+XkuazcBRL5JTk1+T4KSBGHmDbD/ph0oXXOP+5Y/9rWS3:rvCCPTDdSJYUbdh9em5Y/7uEdpqKmY7

    Score
    10/10
    asyncratstealeriumdefaultcollectionexecutionpersistenceprivilege_escalationratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks