General

  • Target

    Lana_Rhoades_Photoos.zip

  • Size

    1.9MB

  • Sample

    241028-cc635svnar

  • MD5

    aaac1d8a5866626d21a15cc8473abdbc

  • SHA1

    4558b9b274de81bf5662d51741b552a09b9b5f98

  • SHA256

    6453d1e7bccbd170145d8565525fffd2f9d6f824dadbb91bc3d40e85ac75eca2

  • SHA512

    c6a73ace2f4c51c29971a575509bea56ac5b01432acc99e218197e64ce88765d7d3944080a3c114a570b3ed8efe0040368bc64b7a028704a9267434aa93744f3

  • SSDEEP

    49152:L3xaSpB8fn07tugzUlQFPglLM9kdnZFeHNsnWPZyp/7:L3UWB8v05UvlA9kJZFetJhW/7

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

asyncrat

Version

1.0.7

Botnet

CEZER

C2

148.113.165.11:3236

Mutex

eqwe2131ewqeqwe

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Lana_Rhoades_Photoos.zip

    • Size

      1.9MB

    • MD5

      aaac1d8a5866626d21a15cc8473abdbc

    • SHA1

      4558b9b274de81bf5662d51741b552a09b9b5f98

    • SHA256

      6453d1e7bccbd170145d8565525fffd2f9d6f824dadbb91bc3d40e85ac75eca2

    • SHA512

      c6a73ace2f4c51c29971a575509bea56ac5b01432acc99e218197e64ce88765d7d3944080a3c114a570b3ed8efe0040368bc64b7a028704a9267434aa93744f3

    • SSDEEP

      49152:L3xaSpB8fn07tugzUlQFPglLM9kdnZFeHNsnWPZyp/7:L3UWB8v05UvlA9kJZFetJhW/7

    Score
    1/10
    • Target

      '''

    • Size

      2.0MB

    • MD5

      60b42e43178ad0ed1484e4afef56e740

    • SHA1

      45d484903388cd149f9e2e5afbfe247c90a00031

    • SHA256

      ed0cc4ec1b8de4c0e315f3caa855892f7ace7cccd3b8e98c7589316ef9fd1972

    • SHA512

      1d397050fe7969993404ee0313ee071ec6a5bd316a40210c72404600057b9a7cca2c78302d28e9f576a42c74ddfec37856b7188c7dd64d173afce043d9b2bc7f

    • SSDEEP

      49152:4VAbwcf0qplQ9rQ7JC+zQlQTLw9Lqb4tBr9mPrIdq1AT2v:0Aa+lQp85Q59mb47r9mDLm2v

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      Lana_Rhoades_Photoos.js

    • Size

      548KB

    • MD5

      ae498935d8a61b3008bd9393a2306dec

    • SHA1

      b1858655d705e14c01cec8d008c3f3db0a09807b

    • SHA256

      401f183d5553d4f01ff3a4df33524f39faa6138f40afb570300ae41ca31efc08

    • SHA512

      8d9830e5ff3f09099ac1e1af2a585cad2a2ad287b75117741d5f940dc2dd934e7046d17881c93b0398917d1f42a9208ab17bede62a594b1a12997d2bba660a8b

    • SSDEEP

      3072:0F8F8F8F8F8F8F8F8F8F8F8F8F8FjFoFoFoFoFoFoFoFoFoFoFoFoFoFoFoFoFod:X7HlvYPobr777lvrFI

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks