Resubmissions

31-10-2024 15:26

241031-st7c8sskek 10

31-10-2024 15:08

241031-sht9jasjek 10

General

  • Target

    c51c3a96a3996b15509ad31cc4134630.UU

  • Size

    7KB

  • Sample

    241031-st7c8sskek

  • MD5

    c51c3a96a3996b15509ad31cc4134630

  • SHA1

    dedfcebf031eebf287e8aef913d1df060fa24664

  • SHA256

    0f891dda9a78f5f13f64c36c85b931bbc9bcdd2ca0085a66a917b8cbed5547c0

  • SHA512

    72738e81defc1e9359d5d74e1f4597b8cbf69688574e698206006ccbec62daec2f35e8de050e8dc3eec583a29bfcae0f223cd216611e4792305c5ca779fd93d5

  • SSDEEP

    192:TUd314ruXwtSzFsE8Y3dvq6/NVghu+mkTVAh0:Ad3GCwtTE8Y3FmukL

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/J6uRjZrv

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Octubre

C2

dcrat2011.duckdns.org:2011

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Ad090512515541511555,PDF.vbs

    • Size

      14.3MB

    • MD5

      5565dd9e27b8d9d3f2c22656193a6a1c

    • SHA1

      f41e89954e0dab2bd7139d5b89a2f80060487a17

    • SHA256

      ec3753896e7a796986bdb9533cfb19481dd02e454fafad31c3c0f026da895afd

    • SHA512

      966ad4fd2fcdcd1bd701a22a391db1ca8beb2af7309cbd49bdf0608b880bbfce3c03f83e9a9342af656d69fe1830526a4118491f83b927a6b34550a96e636f78

    • SSDEEP

      1536:lyyyyyyyyyyyyyyyyyyyyyyyryyyyyyyyyyyyyyyyyyyyyyycyyyyyyyyyyyyyyD:2Z5b

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks