General

  • Target

    RNSM00391.7z

  • Size

    6.1MB

  • Sample

    241101-22ykqsvle1

  • MD5

    8f04796eea62aca1a7dc0e43262fc523

  • SHA1

    9ca40256af4e4029f17724064afb1feed92f34b0

  • SHA256

    e03df762bb062c44aa98d703fb59acf42d886e1b29e7ca0e0300a0f9280ed64a

  • SHA512

    a8c35efa3e0f4fbd8369cb39c013a312d9cb153f2efbc04b3a789dbe874af0dc0a0427ef83c804a6a51f03e16aca8bbcc9fbced8c3273e05e5b2e8751ae8b8ec

  • SSDEEP

    196608:RjmLAqn+1/rnxINzohV3TuAzCS+Ulb39yQH0D5Ac2:gcO+Z8zohV3iKnVIS0D5W

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SEPT G11

C2

chongmei33.publicvm.com:49746

chongmei33.publicvm.com:2703

185.165.153.116:49746

185.165.153.116:2703

54.37.36.116:49746

54.37.36.116:2703

185.244.30.92:49746

185.244.30.92:2703

dongreg202020.duckdns.org:49746

dongreg202020.duckdns.org:2703

178.33.222.241:49746

178.33.222.241:2703

rahim321.duckdns.org:49746

rahim321.duckdns.org:2703

79.134.225.92:49746

79.134.225.92:2703

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      RNSM00391.7z

    • Size

      6.1MB

    • MD5

      8f04796eea62aca1a7dc0e43262fc523

    • SHA1

      9ca40256af4e4029f17724064afb1feed92f34b0

    • SHA256

      e03df762bb062c44aa98d703fb59acf42d886e1b29e7ca0e0300a0f9280ed64a

    • SHA512

      a8c35efa3e0f4fbd8369cb39c013a312d9cb153f2efbc04b3a789dbe874af0dc0a0427ef83c804a6a51f03e16aca8bbcc9fbced8c3273e05e5b2e8751ae8b8ec

    • SSDEEP

      196608:RjmLAqn+1/rnxINzohV3TuAzCS+Ulb39yQH0D5Ac2:gcO+Z8zohV3iKnVIS0D5W

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Gandcrab family

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

    • Hiverat family

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • HiveRAT payload

    • Renames multiple (3798) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks