General

  • Target

    munchenlatest.exe

  • Size

    9.1MB

  • Sample

    241105-jx799swrgt

  • MD5

    752f04019d02e2cad7a089d3a1d5c814

  • SHA1

    d452f4b7689def5d40fa476447b2c5801924e23e

  • SHA256

    14aa5b0fb58dd616085d10d2b33707f1bb765c2e9e67ec5c2a050689a0206e01

  • SHA512

    22270605de4bd8d80fc26e240b55f60deb3b9ac3974cbbaa37c2528175eb7979364e8b5a1bfa8614076797b0d7bd12a23508a53df1cffa39ff6cccda7422eac8

  • SSDEEP

    196608:Xtp99ZSk6u7ebEicPdidMsrJH+QVDzVhhONXBJX7Dmaxv9i3N/dWxbm:L998Ei0S+QJzVDOLx7D3VsdWx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Guppies

C2

198.98.58.93:999

Mutex

SYSTEMSPOOF

Attributes
  • delay

    1

  • install

    true

  • install_file

    Core Sound Service.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      munchenlatest.exe

    • Size

      9.1MB

    • MD5

      752f04019d02e2cad7a089d3a1d5c814

    • SHA1

      d452f4b7689def5d40fa476447b2c5801924e23e

    • SHA256

      14aa5b0fb58dd616085d10d2b33707f1bb765c2e9e67ec5c2a050689a0206e01

    • SHA512

      22270605de4bd8d80fc26e240b55f60deb3b9ac3974cbbaa37c2528175eb7979364e8b5a1bfa8614076797b0d7bd12a23508a53df1cffa39ff6cccda7422eac8

    • SSDEEP

      196608:Xtp99ZSk6u7ebEicPdidMsrJH+QVDzVhhONXBJX7Dmaxv9i3N/dWxbm:L998Ei0S+QJzVDOLx7D3VsdWx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Async RAT payload

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks