General
-
Target
munchenlatest.zip
-
Size
8.8MB
-
Sample
241028-wqm2zavdpn
-
MD5
8a426208fc37e756dffd738ecb77b305
-
SHA1
d06b79e9fb69d443da7d1ffe8dbf2c6992e64c4b
-
SHA256
7b97c5e022c4225bfc79606d9dcc30c0d8b9bac4a8fcbd60a2236cf1db0305d9
-
SHA512
6caa2f63c0341fa91f9bc142071b022f46b5b4d084b57419066b02b8fd535478fbb16528dfc4354ef510e027cbe6aa7f3b10738a0c0482db3df1cab404b97d9b
-
SSDEEP
196608:EQuDY9mHqfFqhwz7koW/qrerJaJyHCrg4Kd0HDFQz2nkVONDsNIy:EZDYwHLyPkV2eV6yyOAeQkVImF
Static task
static1
Behavioral task
behavioral1
Sample
munchenlatest.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
munchenlatest.zip
Resource
win11-20241007-en
Malware Config
Extracted
asyncrat
1.0.7
Guppies
198.98.58.93:999
SYSTEMSPOOF
-
delay
1
-
install
true
-
install_file
Core Sound Service.exe
-
install_folder
%AppData%
Targets
-
-
Target
munchenlatest.zip
-
Size
8.8MB
-
MD5
8a426208fc37e756dffd738ecb77b305
-
SHA1
d06b79e9fb69d443da7d1ffe8dbf2c6992e64c4b
-
SHA256
7b97c5e022c4225bfc79606d9dcc30c0d8b9bac4a8fcbd60a2236cf1db0305d9
-
SHA512
6caa2f63c0341fa91f9bc142071b022f46b5b4d084b57419066b02b8fd535478fbb16528dfc4354ef510e027cbe6aa7f3b10738a0c0482db3df1cab404b97d9b
-
SSDEEP
196608:EQuDY9mHqfFqhwz7koW/qrerJaJyHCrg4Kd0HDFQz2nkVONDsNIy:EZDYwHLyPkV2eV6yyOAeQkVImF
-
Asyncrat family
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3