Overview

overview

10

Static

static

3

Windows-Se...er.exe

windows7-x64

1

Windows-Se...er.exe

windows10-2004-x64

10

Windows-Se...47.dll

windows10-2004-x64

3

Windows-Se...eg.dll

windows7-x64

3

Windows-Se...eg.dll

windows10-2004-x64

3

Windows-Se...GL.dll

windows7-x64

3

Windows-Se...GL.dll

windows10-2004-x64

3

Windows-Se...v2.dll

windows7-x64

3

Windows-Se...v2.dll

windows10-2004-x64

3

Windows-Se...af.ps1

windows7-x64

3

Windows-Se...af.ps1

windows10-2004-x64

3

Windows-Se...uk.ps1

windows7-x64

3

Windows-Se...uk.ps1

windows10-2004-x64

3

Windows-Se...er.dll

windows7-x64

3

Windows-Se...er.dll

windows10-2004-x64

3

Windows-Se...-1.dll

windows7-x64

3

Windows-Se...-1.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    47d50292c872e9d105ccf18c2bbe6d5cbd517f82d4f74b7c7907eea84b53b9dc

  • Size

    64.2MB

  • Sample

    240728-z8y4qszcla

  • MD5

    25b7fc874179c2b3e4bc8f4bdc6e503e

  • SHA1

    afeffee1b1f664697da01d7188a00aacf0b89f30

  • SHA256

    47d50292c872e9d105ccf18c2bbe6d5cbd517f82d4f74b7c7907eea84b53b9dc

  • SHA512

    0a368fab8c7f6a509c844b265f5809e59026626e90905257cdbda08ead4d1528610a8f3e7aab33aeb6a2dbdc2acae6315c901a4c9d7ce88e56c572dfa96574e6

  • SSDEEP

    1572864:jAdXIfww97sh9C6l3+5S0ltKtDVREkLX8cWAXS:jAhkDdshkwQc9LXR1i

Score
10/10
asyncrat12defense_evasiondiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

1

C2

20.82.141.111:6570

Mutex

mutex_boot-AsZzpYBmoad2u1S

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

2

C2

20.82.141.111:6576

Mutex

mutex_kernel-SLhrSjUhEXvqIIS

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Windows-Search.exe/SearchFilter.exe

    • Size

      132.0MB

    • MD5

      75b63c0f5dcee7c6000edcc705167207

    • SHA1

      598c078a840f152480065d95ffb99127b1ef6e08

    • SHA256

      59909bf0cc831cdb3553fa31eceeb8be207a65d2072da65fb6b38577770b036f

    • SHA512

      727d0be33710d2c9421dc5e2e4d39479f683f4aff650a7b419c13f429762609885fba43ff370bf23dc3c6e82cf74cf383c59bb58739a14ddfc0fafad07d430da

    • SSDEEP

      1572864:U4sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVK:Zl/BkVVPBDgmPKa5Wnu3X7

    Score
    10/10
    asyncrat12defense_evasiondiscoveryevasionexecutionrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • UAC bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

    • Target

      Windows-Search.exe/d3dcompiler_47.dll

    • Size

      3.9MB

    • MD5

      3b4647bcb9feb591c2c05d1a606ed988

    • SHA1

      b42c59f96fb069fd49009dfd94550a7764e6c97c

    • SHA256

      35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

    • SHA512

      00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

    • SSDEEP

      49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd

    Score
    3/10
    discovery
    behavioral3

    • Target

      Windows-Search.exe/ffmpeg.dll

    • Size

      2.5MB

    • MD5

      1bb0e1140ef08440ad47d80b70dbf742

    • SHA1

      c2e4243bad76b465b5ab39865ac023db1632d6b0

    • SHA256

      c0d9edde3864d9450744f4bc526a98608b629aeed01c6647f600802e1b1cf671

    • SHA512

      29d71e3bd7df7014a03e26ca6ee5b59ff6e3d06096742fae5dec6282abd1f0d2f24c886a503e3a691d38cc68e0da504a7f657dcec4758b640a1a523d3eeaa57a

    • SSDEEP

      49152:YKM7YWN1tYNFKtJPP5f+8xH6UahvIxi9xrBYHZU7ewdCUQFdqQi9muA:YKM7YWNT2Kt9QoaUalEi9xqZ29dA

    Score
    3/10
    discovery
    behavioral4behavioral5

    • Target

      Windows-Search.exe/libEGL.dll

    • Size

      371KB

    • MD5

      e0a5d1a5d55dffb55513acb736cef1c1

    • SHA1

      307fc023790af5bf3d45678de985e8e9f34896f7

    • SHA256

      aa5da4005c76cfe5195b69282b2ad249d7dc2300bbc979592bd67315fc30c669

    • SHA512

      094e23869fd42c60f83e0f4d1a2cd1a29d2efd805ac02a01ce9700b8e7b0e39e52fe86503264a0298c85f0d02b38620f1e773f2ea981f3049aeba3104b04253f

    • SSDEEP

      6144:6FVfk760MmXXwvT3WpVgvpqwm9SPECshBZeD6EHh:267rjnpVgvpqwm93rIW

    Score
    3/10
    discovery
    behavioral6behavioral7

    • Target

      Windows-Search.exe/libGLESv2.dll

    • Size

      6.4MB

    • MD5

      44f7c21b6010048e0dcdc43d83ebd357

    • SHA1

      d0a4dfd8dbae1a8421c3043315d78ecd84502b16

    • SHA256

      f6259a9b9c284ee5916447dd9d0ba051c2908c9d3662d42d8bbe6ce6d65a37de

    • SHA512

      7e03538dd8e798d0e808a8fc6e149e83de9f8404e839900f6c9535da6aac8ef4d5c31044e547dde34dcece1255fab9a9255fa069a99fcb08e49785d812b3887c

    • SSDEEP

      98304:ZHYQkvdLN+UNQR14/hr5njmwSNDBVO0Bz7arD+0t1t0zA5Lgs2+A1tCw:itvwq/hr5jmwSVBJBz7arQA+sq1tC

    Score
    3/10
    discovery
    behavioral8behavioral9

    • Target

      Windows-Search.exe/locales/af.pak

    • Size

      368KB

    • MD5

      7e51349edc7e6aed122bfa00970fab80

    • SHA1

      eb6df68501ecce2090e1af5837b5f15ac3a775eb

    • SHA256

      f528e698b164283872f76df2233a47d7d41e1aba980ce39f6b078e577fd14c97

    • SHA512

      69da19053eb95eef7ab2a2d3f52ca765777bdf976e5862e8cebbaa1d1ce84a7743f50695a3e82a296b2f610475abb256844b6b9eb7a23a60b4a9fc4eae40346d

    • SSDEEP

      6144:ebGJWQdLX/Wi6fR9a5DhZ2FQPnUGSBhjA636Zi2Jyn9Ybt5KXpgmLwSVxJsVxSjf:6GJW2bOi6fRmZ2OPnUThjA636Zi2Jynd

    Score
    3/10
    execution
    behavioral10behavioral11

    • Target

      Windows-Search.exe/locales/uk.pak

    • Size

      688KB

    • MD5

      ee70e9f3557b9c8c67bfb8dfcb51384d

    • SHA1

      fc4dfc35cde1a00f97eefe5e0a2b9b9c0149751e

    • SHA256

      54324671a161f6d67c790bfd29349db2e2d21f5012dc97e891f8f5268bdf7e22

    • SHA512

      f4e1da71cb0485851e8ebcd5d5cf971961737ad238353453db938b4a82a68a6bbaf3de7553f0ff1f915a0e6640a3e54f5368d9154b0a4ad38e439f5808c05b9f

    • SSDEEP

      12288:wrccq9nty/KiDswU1nbx05kB3IjUUmEg5KuoLNiXElqnOyh:HGX35EEK

    Score
    3/10
    execution
    behavioral12behavioral13

    • Target

      Windows-Search.exe/vk_swiftshader.dll

    • Size

      4.5MB

    • MD5

      65a5705d95a0820740b3396851ff1751

    • SHA1

      a692a80bafc41ba1b29ef19890f8465b3fb20dcb

    • SHA256

      4c4b935cbb320033f504a89b1eb0a4bcb176bbd46a5981153cb1f54deb146a1c

    • SHA512

      0c5df23b96eaf952c4a498ff6d854df2b62e7631b16c2855ed37ddbadffba3dd52e7450f2e06cf094bec2e0d70d14c87a652150766d90ec8662e03123df5942d

    • SSDEEP

      98304:x2GmsucG1vUTM3SFhCrHglx7LQDCwchuW6ugI:cuuF4XhCGLQDCaI

    Score
    3/10
    discovery
    behavioral14behavioral15

    • Target

      Windows-Search.exe/vulkan-1.dll

    • Size

      786KB

    • MD5

      a947c5d8fec95a0f24b4143ced301209

    • SHA1

      ebf3089985377a58b8431a14e22a814857287aaf

    • SHA256

      29cb256921a1b0f222c82650469d534ccdf038d1f395b3aaa9f1086918f5d3fa

    • SHA512

      75f5e055f4422b5558fc1cb3ea84fb7cbeaae6f71c786cc06c295d4ab51c0b1c84e28a7c89fe544f007dbe8e612bed4059139f1575934fe4bac8e538c674ebd3

    • SSDEEP

      24576:cJObHhG7TEnCGlrpZpjL4TB46Z5WODYsHh6g3P0zAk722:c0c7TECgpZpju46Z5WODYsHh6g3P0zA+

    Score
    3/10
    discovery
    behavioral16behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

3
T1564

Hidden Files and Directories

2
T1564.001

Hidden Window

1
T1564.003

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks