Overview

overview

10

Static

static

10

Infected.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Infected.exe

  • Size

    63KB

  • Sample

    240627-xel6zaxbpn

  • MD5

    c38ad68d1e9dd737deae1e0bcc1f1d0d

  • SHA1

    98093374e89a28bf56e620ed2d7487af307bd0c1

  • SHA256

    b8e339416fee9d765edf4bdf4c80b2435842cb7af093e55d5d341f6293b797df

  • SHA512

    bc92a0588440f82c2b6cfde89352dc1368e013c3ec2d4ae526b7e44173d4d33cc969df3f58f9fb980e875c3591889f76ca5dcc65089dd56f1dafaffbbc245b26

  • SSDEEP

    768:Qv0M2UM/978aQC8A+XjlazcBRL5JTk1+T4KSBGHmDbD/ph0oX6E6kaq+MCSu0dph:b1/k/dSJYUbdh9lh+M1u0dpqKmY7

Score
10/10
asyncratstealeriumdefaultcollectionpersistenceprivilege_escalationransomwareratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

during-goto.gl.at.ply.gg:45478

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Infected.exe

    • Size

      63KB

    • MD5

      c38ad68d1e9dd737deae1e0bcc1f1d0d

    • SHA1

      98093374e89a28bf56e620ed2d7487af307bd0c1

    • SHA256

      b8e339416fee9d765edf4bdf4c80b2435842cb7af093e55d5d341f6293b797df

    • SHA512

      bc92a0588440f82c2b6cfde89352dc1368e013c3ec2d4ae526b7e44173d4d33cc969df3f58f9fb980e875c3591889f76ca5dcc65089dd56f1dafaffbbc245b26

    • SSDEEP

      768:Qv0M2UM/978aQC8A+XjlazcBRL5JTk1+T4KSBGHmDbD/ph0oX6E6kaq+MCSu0dph:b1/k/dSJYUbdh9lh+M1u0dpqKmY7

    Score
    10/10
    asyncratstealeriumdefaultcollectionpersistenceprivilege_escalationransomwareratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Renames multiple (3152) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks