General
-
Target
Ultima Multihack.bin.zip
-
Size
425KB
-
Sample
240707-yd4v3azarh
-
MD5
35d49dd9f44b48c0be4294ed2c0a099d
-
SHA1
55fbd21855fe4d5dd64629cab71d8f5bc7477c80
-
SHA256
cc455bd025ec70ac81041ad079477468e60ed9d590a26cd34b0589dff77a9f67
-
SHA512
a4408e6fc93e537ec90820f5c3c5f8350fdd7b228041ab7db949e19ee33d783d83659640843036b3140fc00d244cdf0c6d4cce005abade2cd32cb8b90bd8f5d4
-
SSDEEP
12288:jWgYrB0+QTmsZnyE+TtHm8PDCNODL2/Bv5xwlRFzSKtB+csT:jWTezpZyE+lrCNy8xxmFN+csT
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
jvjv2044duck33.duckdns.org:6606
jvjv2044duck33.duckdns.org:7707
jvjv2044duck33.duckdns.org:8808
TnUTbczVlRq1
-
delay
3
-
install
true
-
install_file
WindowsUpdate.exe
-
install_folder
%AppData%
Extracted
darkcomet
Guest16
jvjv2044duck33.duckdns.org:1604
DC_MUTEX-JTZJH1U
-
InstallPath
MSDCSC\msdcs.exe
-
gencode
BHXZ4Uil0pNa
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
WindowsTemp
Targets
-
-
Target
Ultima Multihack.bin.zip
-
Size
425KB
-
MD5
35d49dd9f44b48c0be4294ed2c0a099d
-
SHA1
55fbd21855fe4d5dd64629cab71d8f5bc7477c80
-
SHA256
cc455bd025ec70ac81041ad079477468e60ed9d590a26cd34b0589dff77a9f67
-
SHA512
a4408e6fc93e537ec90820f5c3c5f8350fdd7b228041ab7db949e19ee33d783d83659640843036b3140fc00d244cdf0c6d4cce005abade2cd32cb8b90bd8f5d4
-
SSDEEP
12288:jWgYrB0+QTmsZnyE+TtHm8PDCNODL2/Bv5xwlRFzSKtB+csT:jWTezpZyE+lrCNy8xxmFN+csT
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Async RAT payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Hide Artifacts
2Hidden Files and Directories
2File and Directory Permissions Modification
1Modify Registry
3Pre-OS Boot
1Bootkit
1