Resubmissions

30-10-2024 14:31

241030-rvq7zawaln 10

30-10-2024 14:23

241030-rp9r5avhnl 10

General

  • Target

    8fb2ad76f9758f71a1156843d01cca52.rar

  • Size

    7KB

  • Sample

    241030-rp9r5avhnl

  • MD5

    8fb2ad76f9758f71a1156843d01cca52

  • SHA1

    c9bb2bb9c0404a0dc5a9e0a4684b34567d3bbee3

  • SHA256

    49bcb8e836ba3123aabf9bac83ad69146333cc4d34ca440e6a4f3b6436dee08f

  • SHA512

    4f22ab8a3b595398c4700f5feedd31f23672d86149e03d4a77b05c90c89d1b55cbbb803b5fa96f915108ed8ed7d23e7ba21a482150c84367cf7f001bf0a46fe2

  • SSDEEP

    192:hXQ5WpdkLYKvdtXpxBoepqPgXJuIdvjw81i:dh4DXrpjtdvFA

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

zzzzDefaultIT

C2

deadpoolstart2030.duckdns.org:6090

Mutex

CookieWin

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      DOCUMENTO_SISTEMA_REQUERIMIENTO_DIAN_PROCESO_DE_EMBARGO_REVISION_INMEDIATA_ad8098904901470147f818615891658168ca7555f5757728471229_pdf.vbs

    • Size

      68KB

    • MD5

      722ef0f62d5f0d96f0f63888e0d8ae39

    • SHA1

      0afc5ebc973e07bc01682922e5972dbfead09691

    • SHA256

      b2bea3384dc24126675379eb1473946f2927a10d8eff6730bc024716ef0f6864

    • SHA512

      9e614dbf3ea73992903a5a93884733ce4346e9108a78fba4f0ded8200cfd0fc33a929cebf2a1236163e63e6e33ac0b0daf8af8e881bb125f9cd57986db5454b2

    • SSDEEP

      1536:bUJW4Wrle/PhG+/kery+bGNccc3gt5pzaUGwm:jS7rgt5pnGwm

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks