Overview

overview

10

Static

static

3

sdcheck/Se...er.exe

windows11-21h2-x64

10

sdcheck/module.exe

windows11-21h2-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SeedsChecker.zip

  • Size

    66.6MB

  • Sample

    240727-smwm6avgjm

  • MD5

    e7bbd4219802c7424bbdf900399df6f7

  • SHA1

    d409c40deb9e2e16dea1ed186a1ead69c5872ecc

  • SHA256

    dc4aa0cfe4379b2ae5a8d10a81f7d04f45a8060765dad726a19ec0b2e881c7c9

  • SHA512

    687fdd77ddd3e4e534539863e07ad6890aac148b7c6dba9ae1b00977feb6fe04d6ad63c08482ac1ac9487599d67e64e9af9789bac32b7842a06a9372abed5cbe

  • SSDEEP

    1572864:L/RrcztdZ+FfuKEXCZwopRNmkF4S7Lsnv/QROejRRywF:L/RrcJdwGSZpRQVSvsvqZNF

Score
10/10
asyncratxmrigdefaultcredential_accessevasionexecutionminerpersistenceratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

80.79.7.197:6606

80.79.7.197:7707

80.79.7.197:8808

80.79.7.197:8888
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Runtime.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      sdcheck/SeedsChecker.exe

    • Size

      10.5MB

    • MD5

      5f7e0d25b165b9afcc3e6ca2bb135a47

    • SHA1

      72cbc2583a2dd5078a0edb83b153f38fb5ddb085

    • SHA256

      b94bb64c9f1e39f900c095b2034d3302a2a1cfeca08096ac71ecd24b5a25c61d

    • SHA512

      fd87ba28b3cd39b7938eba27d95588cacb51dd3e46c5f79282f3a2693e78387c1032b58b1186eae052a4d33680863c609588888dff46a3fb2542860eda4329fc

    • SSDEEP

      196608:BVE0qzgg7MlG6g4kpQbjHqsQLTJeriQAu8VAbC7EzpIjtoTSam0nuYaf:BV5qz7J6gKbjq1d4iFuE+CQzpI2+l0nu

    Score
    10/10
    asyncratxmrigdefaultcredential_accessevasionexecutionminerpersistenceratspywarestealerupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      sdcheck/module.exe

    • Size

      40.1MB

    • MD5

      926853fdfffb1a4645f22bb5b7e10d71

    • SHA1

      8cfddabdd2d38175a51cd228b0a25ea0cec6f043

    • SHA256

      bde124a6ff61b44ca4313c5860535cb2b49693e602eee6746b3af7dec5623c17

    • SHA512

      64cbc3f1dc1a1c6f36df0277c1d96da2f5d3c1265149e425f9d6063015d78e96c4b604aeb6e6734a01140ec5bf4d925d1c4c2130f43f1f9e5ab432583c4630e8

    • SSDEEP

      786432:yFNHjOvEt1KXZfKXZhu14yyGifQARGMbExzZAZktBbNgx:yFNDQEaiq184A8YE5yYy

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks