General

  • Target

    Evo Resou_nls..scr.exe

  • Size

    362KB

  • Sample

    240629-3mn87ashlk

  • MD5

    46019f266084534e1c19c1204e62a618

  • SHA1

    a5bbe2c21328c1f6e4f6498e2f1f30743b5883e9

  • SHA256

    27d5e1f8e49a537ecbd834bf1fa4ed193cba9401cedcc85232b82ef0aaf1b217

  • SHA512

    e936bbdb21ca49a5bed8e088bd53f5faffd3cdd6df1b1179f0fe3830e3cc46d591f4f5b4f5e2ba96559ec042ba72efc6b63f1b406c469831664e14c6efdbb8e3

  • SSDEEP

    6144:GBx7iw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFmCaxHU0bM:GTkqjVnl36ud0zR/6CtQ9PUHIG8Dn

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

T

C2

20.199.8.16:1726

Mutex

31FGTEWnaxDE

Attributes
  • delay

    3

  • install

    false

  • install_file

    SeacrhIndexer

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Y

C2

20.199.8.16:1726

Mutex

eYLuHMmPZK7A

Attributes
  • delay

    3

  • install

    false

  • install_file

    SeacrhIndexer

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Evo Resou_nls..scr.exe

    • Size

      362KB

    • MD5

      46019f266084534e1c19c1204e62a618

    • SHA1

      a5bbe2c21328c1f6e4f6498e2f1f30743b5883e9

    • SHA256

      27d5e1f8e49a537ecbd834bf1fa4ed193cba9401cedcc85232b82ef0aaf1b217

    • SHA512

      e936bbdb21ca49a5bed8e088bd53f5faffd3cdd6df1b1179f0fe3830e3cc46d591f4f5b4f5e2ba96559ec042ba72efc6b63f1b406c469831664e14c6efdbb8e3

    • SSDEEP

      6144:GBx7iw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFmCaxHU0bM:GTkqjVnl36ud0zR/6CtQ9PUHIG8Dn

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • UAC bypass

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks