General

  • Target

    NOTIFICACION_DE_DEMANDA#231020241709000000.uu

  • Size

    4KB

  • Sample

    241024-svjnka1cka

  • MD5

    f7cb6479dec54c3907bbd3d80d95b50d

  • SHA1

    128d531233e1e9e6326c87fe86d465ada070e5b9

  • SHA256

    ac9b91fe056ac0a7bd3a0a93ded223b6a50e6fa6bec10b56ad5d5df731c2de0b

  • SHA512

    310637484733767af24df44fa115734afa94d5b49c610710064c080887cc56fc2054e724ff19402925b127ef25c3c927d1a8d17eed3607b780edf151d22cf531

  • SSDEEP

    96:mD79tRp/pquH3pr6z6C7zd5ezyFJVOB6FPAZK6epvVVjmZE:yZbG+priHd5a8PVB5e2

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Family

asyncrat

Version

1.0.7

Botnet

octubre22

C2

manuelmorenomanuel1234.duckdns.org:2024

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      NOTIFICACION_DE_DEMANDA#231020241709000000.uu

    • Size

      4KB

    • MD5

      f7cb6479dec54c3907bbd3d80d95b50d

    • SHA1

      128d531233e1e9e6326c87fe86d465ada070e5b9

    • SHA256

      ac9b91fe056ac0a7bd3a0a93ded223b6a50e6fa6bec10b56ad5d5df731c2de0b

    • SHA512

      310637484733767af24df44fa115734afa94d5b49c610710064c080887cc56fc2054e724ff19402925b127ef25c3c927d1a8d17eed3607b780edf151d22cf531

    • SSDEEP

      96:mD79tRp/pquH3pr6z6C7zd5ezyFJVOB6FPAZK6epvVVjmZE:yZbG+priHd5a8PVB5e2

    Score
    10/10
    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      NOTIFICACION_DE_DEMANDA#231020241709000000.vbs

    • Size

      8.9MB

    • MD5

      6872587aacd35fad8bcc50d46cac9bec

    • SHA1

      d9e606614a14ac0f368ef9e19ef043bc9e9bc76e

    • SHA256

      7eb65f78fd002384dc1cf76a0dc4a8b15514f179b300d1612b791728261dc483

    • SHA512

      75e4438043bd4832be8b47a174132cc7c49ebfc92780435d3212b6838339a4ae2c023ba6d9ce104696bdb300279f0609c93d793c1a707b950a83bff53841df56

    • SSDEEP

      96:c6G7Meyds/iYNRTz3vnqA04QrELzz+djbCb+huFlvxh39grdhh:bxjYNRTz3vq12+RKxh39Ohh

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks