Overview

overview

10

Static

static

10

Infected.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Infected.exe

  • Size

    63KB

  • Sample

    241013-e7q2hszaqh

  • MD5

    2638e93d166163469df80c1e42cc59b6

  • SHA1

    0c79fb51c844377a39dde19f8709abe856cd7556

  • SHA256

    03b8046bd2c7d454a8a38da06f6138389b7c8b3af47036b6c79fab88adae0cda

  • SHA512

    fdedffccb03173003ae18cbc623edf83eef682932d6aa195d85e9fd413ab241ad3df10804870b14ac28d909d0ec9f25ba7b9b800778251776c9697136d1987b0

  • SSDEEP

    768:0k/9PXn1w787gC8A+XvqazcBRL5JTk1+T4KSBGHmDbD/ph0oXfPItl0lTYwNSu4V:BR1gMdSJYUbdh9IP0lTmu4dpqKmY7

Score
10/10
asyncratdefaultdiscoveryevasionratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

Pizd11337-26540.portmap.host:26540

Attributes
  • delay

    1

  • install

    true

  • install_file

    svhost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Infected.exe

    • Size

      63KB

    • MD5

      2638e93d166163469df80c1e42cc59b6

    • SHA1

      0c79fb51c844377a39dde19f8709abe856cd7556

    • SHA256

      03b8046bd2c7d454a8a38da06f6138389b7c8b3af47036b6c79fab88adae0cda

    • SHA512

      fdedffccb03173003ae18cbc623edf83eef682932d6aa195d85e9fd413ab241ad3df10804870b14ac28d909d0ec9f25ba7b9b800778251776c9697136d1987b0

    • SSDEEP

      768:0k/9PXn1w787gC8A+XvqazcBRL5JTk1+T4KSBGHmDbD/ph0oXfPItl0lTYwNSu4V:BR1gMdSJYUbdh9IP0lTmu4dpqKmY7

    Score
    10/10
    asyncratdefaultdiscoveryevasionratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Async RAT payload

      rat

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks