General

  • Target

    XBinderOutput.exe

  • Size

    85KB

  • Sample

    241028-ym2gaswbpg

  • MD5

    92d502cd0adf7ed26317f11a5b4ad760

  • SHA1

    09b70d4087a9196eb842acb566f72cfd08825eeb

  • SHA256

    abf0b9462cbb32034ef3f62ad470290ec43407085eb691ac3f61498dab7fd36c

  • SHA512

    d905b7ecf04ef0594eb9e5c26c71a512c8bd17705ea1c3854169100d6bffc2a42f457ff4c0d12f2deea311fa20b62dff4cf828b583a1201e5bb178fbae5c430c

  • SSDEEP

    1536:lMhlS6nzjc1fI7//fUciArlGhxuDuKSGpnb5qUV0Iqwfl3vcRd:l64gzY1fY//eh0Xb5uIqwN0

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Test

C2

5.tcp.eu.ngrok.io:19854

Mutex

DcRatMutex_adlzxvdama

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      XBinderOutput.exe

    • Size

      85KB

    • MD5

      92d502cd0adf7ed26317f11a5b4ad760

    • SHA1

      09b70d4087a9196eb842acb566f72cfd08825eeb

    • SHA256

      abf0b9462cbb32034ef3f62ad470290ec43407085eb691ac3f61498dab7fd36c

    • SHA512

      d905b7ecf04ef0594eb9e5c26c71a512c8bd17705ea1c3854169100d6bffc2a42f457ff4c0d12f2deea311fa20b62dff4cf828b583a1201e5bb178fbae5c430c

    • SSDEEP

      1536:lMhlS6nzjc1fI7//fUciArlGhxuDuKSGpnb5qUV0Iqwfl3vcRd:l64gzY1fY//eh0Xb5uIqwN0

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks