General

  • Target

    1+N0TlFlCAClON+DEMANDA+LAB0RAI++PR0CES0+JUDlCIAL.zip

  • Size

    14.5MB

  • Sample

    241029-xjbk2aybpq

  • MD5

    46c08f23d145acd9d17897536f3d7101

  • SHA1

    a9a7d627872ebf529d6c0387e0d5a9167a85d4d4

  • SHA256

    009ff5894bb6d647dad69c00dfca4136f22fd094b18ed1692f7a662de2d49ae4

  • SHA512

    89ff8ba753fb08c2785c5caf58e30cbc9be69ef0e4ae5b1ef9c04f4a1b4a06189619b181cdc643006c886bc6532b60bebc50661936f1c66f87d9af86e23ed844

  • SSDEEP

    393216:CoNqRRnCfgo0gKwFDMvgYE9X+f8FhIVSDyVbCFfLVQtHw6t7Nk2:CoNyoD0g1pjrS8PPyVb4RQtHw6FN9

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

losquenopasan.kozow.com:8000

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/2 DEMANDA LAB0RAI.exe

    • Size

      3.1MB

    • MD5

      b841d408448f2a07f308ced1589e7673

    • SHA1

      f5b5095c0ed69d42110df6d39810d12b1fa32a1e

    • SHA256

      69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699

    • SHA512

      a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93

    • SSDEEP

      49152:pvFg5qg9BtIAHE3SM4ahx6LK2SamuZob+tCjNrv8:Jm5qGBHBLRKuZfkjNrv8

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Suspicious use of SetThreadContext

    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/2 winrar-x64-701.exe

    • Size

      3.7MB

    • MD5

      3a2f16a044d8f6d2f9443dff6bd1c7d4

    • SHA1

      48c6c0450af803b72a0caa7d5e3863c3f0240ef1

    • SHA256

      31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

    • SHA512

      61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

    • SSDEEP

      98304:yNdBfKEHyrVcQky3zy1BK1X4Jg+opzZorSeksMURg0l5OOf:ky+GzkezMs1I5oDot8UeEt

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/7z2408-x64 (1).exe

    • Size

      1.5MB

    • MD5

      0330d0bd7341a9afe5b6d161b1ff4aa1

    • SHA1

      86918e72f2e43c9c664c246e62b41452d662fbf3

    • SHA256

      67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

    • SHA512

      850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

    • SSDEEP

      24576:UEBmEo1y9fcw5K42KmEDaMYAhr08oSG4OdWrfjcaHSNXJdx7wE9iko6qzLJmYYUP:UEvoo24xV2JJdPwMJ3x75z5q0jc/3

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/ChromeSetup (1).exe

    • Size

      9.7MB

    • MD5

      f108cf203b1b733b72b9719a77c9543e

    • SHA1

      ac0ab58d704e03dcae4143a5dd98e954dfa6db7c

    • SHA256

      966357c221b85adfca54f4e27934dd578b2e8594d0517cea246792b81842f84b

    • SHA512

      cab0b906279d98582ba860e03164073fe21275cd3b7f39d080a7aa07e7d041ea0199ad53a9106d9577f2437ae2254533aa9e7bea1f3ff041ac6f9ecd3c4f15c8

    • SSDEEP

      196608:zIC0KQrG/rJP2sX52l/0qPX1UjN4vcLYcp/E4oR94c5tK0UVDuC0wtIFC7Jzbl3:z3bQrcX5a/0qdUjN4vWZp/a9Z540UVDP

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/Firefox Installer (2).exe

    • Size

      364KB

    • MD5

      606cdf447699ced43d6a1e13ba6fc99c

    • SHA1

      6f35f4f73951aa892d049cbea81f0af73621a233

    • SHA256

      16da8fc3f94ba86b09d53e6a9548b2267c71bde325f3a226128986e70b527d6c

    • SHA512

      78f744945b8e36950d7234d05191ec79f58217a906f0147a058a0a040354416c6c0a4ae2d3243ad1f33877f3337b16dae244cd9bdb47b2cd2a2051f1f86dc815

    • SSDEEP

      6144:maVWdyzOxeA1DfdwX3MmIO/MU4AZbfLGdHR8fLaznnWobRlKnz3EfIXnVXL:mMROxdDfOnMmX/MUlbDI8feLWobRlKn5

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/OperaSetup (1).exe

    • Size

      2.1MB

    • MD5

      e511f2a781ca6fbfb08a830922dcedf2

    • SHA1

      7b6567645a5c7059e8f7922df61b45e4c4621d5c

    • SHA256

      d3cbfe2cb2970e44a121e55f788307c060dd699fbd6f366577ad05c951778696

    • SHA512

      753ee0e3e37ce45df92583e9613e04ce4152018706430b6ed71ead7f7a8361fd57ac95edad39ace0afc57ea8e5c46daa122dde7171e8fca837605449c50d0b1d

    • SSDEEP

      49152:dVAbwHReN1zJi6s9MkjkoCnpjcUl9kFMHDIT0Ku:7A6ReNC6s9pQp9cI9A+IgV

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/madHcNet32.dll

    • Size

      921KB

    • MD5

      d22b9da713ab36102c9c3d812af8c12d

    • SHA1

      371fdbf6ae6a9a2e5c0560fc94eba3290028a252

    • SHA256

      95b538b47e02d0ad2bd15d47efc18695d5e379ef61568b81ef405773d9c199bb

    • SHA512

      e5ae51f79403358af60bb3ea663251badac57414813f5537d763b0b95504a393fb2d34c94c4b7328ec13f58e74a7147d3a72e63e62973c4c5d80671be1c8face

    • SSDEEP

      24576:TlUbWq3/gquYUJ4Vgv0eUnDaE0efxfXT95:pUR4quYUJ4VgceXE0gxfjv

    Score
    3/10
    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/mvrSettings32.dll

    • Size

      1.0MB

    • MD5

      d168f18b79f9f33690f011d1deb1e7cf

    • SHA1

      cf0d984ce101ec274e65e88fae07daeb26de5a6d

    • SHA256

      b7d3bc460a17e1b43c9ff09786e44ea4033710538bdb539400b55e5b80d0b338

    • SHA512

      bbf085bcbc3c1c98caba95bdf48051bac18bbd1b7314c7bb55b56e3d423fb34758cc239c237091486cc466123bf02844eaac3b4435cb535af25dc2bca625af71

    • SSDEEP

      12288:1wsE8YWuTCipwKm3ZCdX+y0Cg57ZrVmK5UhYX5NN/u3ZeEb+LJkguVl1Y1e:XIWuFKKVuig5jZ5xX5P2bKyguJf

    Score
    3/10
    • Target

      1 N0TlFlCAClON DEMANDA LAB0RAI PR0CES0 JUDlCIAL/unrar.dll

    • Size

      304KB

    • MD5

      51865d714d444e677aa12adc8a399562

    • SHA1

      25530deaaff17369664eb69a0f1ef0d70ee14f0f

    • SHA256

      b7e2213b88952fec525517007e21273b515e38edd029e2672adc51c2927a0ba5

    • SHA512

      17b07c7d31fc166dc06e418103b0c9c0a4c67b153347658c279f91b5d36fa92a50c1074f120fd3bedef5ac3bc38f00586401ac68830d052ed35afe80cc70dea8

    • SSDEEP

      6144:qB6wDaKov/5qrawOZI8uN0f/UVvN3MwdZAmiVQL+O6j:qBNo35qrawqmG/yM86mim+Ou

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
5/10

behavioral1

asyncratdefaultdiscoveryrat
Score
10/10

behavioral2

asyncratdefaultdiscoveryrat
Score
10/10

behavioral3

discoverypersistenceprivilege_escalation
Score
5/10

behavioral4

Score
1/10

behavioral5

discoverypersistenceprivilege_escalation
Score
7/10

behavioral6

discoverypersistenceprivilege_escalation
Score
7/10

behavioral7

discoveryevasionpersistenceprivilege_escalationspywarestealertrojan
Score
6/10

behavioral8

discoveryupx
Score
5/10

behavioral9

discoveryspywarestealerupx
Score
5/10

behavioral10

discovery
Score
7/10

behavioral11

discoveryspywarestealer
Score
8/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10