General

  • Target

    37d33a8697abfd1ce089273d6d527569a2644fabe6ca5eab520b29e86d75d362

  • Size

    267KB

  • Sample

    241012-x5lm5axdnd

  • MD5

    1a7ea31f87942c5f07fea28b6ec823aa

  • SHA1

    3804138c05a13719b0fd76e68e4c682782ce7f1e

  • SHA256

    37d33a8697abfd1ce089273d6d527569a2644fabe6ca5eab520b29e86d75d362

  • SHA512

    ff4a1664230aae9162824b256b4d52105f8024b95cd1e63ec6f294f141e2dee9c70ffe99b077f9f5e702eecca263adfe63c4d7813e88ce631df2aa20253e39c9

  • SSDEEP

    3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdN:WFzDqa86hV6uRRqX1evPlwAEdN

Malware Config

Extracted

Family

asyncrat

Version

0.4.9G

C2

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      37d33a8697abfd1ce089273d6d527569a2644fabe6ca5eab520b29e86d75d362

    • Size

      267KB

    • MD5

      1a7ea31f87942c5f07fea28b6ec823aa

    • SHA1

      3804138c05a13719b0fd76e68e4c682782ce7f1e

    • SHA256

      37d33a8697abfd1ce089273d6d527569a2644fabe6ca5eab520b29e86d75d362

    • SHA512

      ff4a1664230aae9162824b256b4d52105f8024b95cd1e63ec6f294f141e2dee9c70ffe99b077f9f5e702eecca263adfe63c4d7813e88ce631df2aa20253e39c9

    • SSDEEP

      3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdN:WFzDqa86hV6uRRqX1evPlwAEdN

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks