General
-
Target
munchenlatest.exe
-
Size
9.1MB
-
Sample
241105-jx799swrgt
-
MD5
752f04019d02e2cad7a089d3a1d5c814
-
SHA1
d452f4b7689def5d40fa476447b2c5801924e23e
-
SHA256
14aa5b0fb58dd616085d10d2b33707f1bb765c2e9e67ec5c2a050689a0206e01
-
SHA512
22270605de4bd8d80fc26e240b55f60deb3b9ac3974cbbaa37c2528175eb7979364e8b5a1bfa8614076797b0d7bd12a23508a53df1cffa39ff6cccda7422eac8
-
SSDEEP
196608:Xtp99ZSk6u7ebEicPdidMsrJH+QVDzVhhONXBJX7Dmaxv9i3N/dWxbm:L998Ei0S+QJzVDOLx7D3VsdWx
Static task
static1
Behavioral task
behavioral1
Sample
munchenlatest.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
munchenlatest.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
asyncrat
1.0.7
Guppies
198.98.58.93:999
SYSTEMSPOOF
-
delay
1
-
install
true
-
install_file
Core Sound Service.exe
-
install_folder
%AppData%
Targets
-
-
Target
munchenlatest.exe
-
Size
9.1MB
-
MD5
752f04019d02e2cad7a089d3a1d5c814
-
SHA1
d452f4b7689def5d40fa476447b2c5801924e23e
-
SHA256
14aa5b0fb58dd616085d10d2b33707f1bb765c2e9e67ec5c2a050689a0206e01
-
SHA512
22270605de4bd8d80fc26e240b55f60deb3b9ac3974cbbaa37c2528175eb7979364e8b5a1bfa8614076797b0d7bd12a23508a53df1cffa39ff6cccda7422eac8
-
SSDEEP
196608:Xtp99ZSk6u7ebEicPdidMsrJH+QVDzVhhONXBJX7Dmaxv9i3N/dWxbm:L998Ei0S+QJzVDOLx7D3VsdWx
-
Asyncrat family
-
Xmrig family
-
Async RAT payload
-
XMRig Miner payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3