General

  • Target

    SecuriteInfo.com.Win32.MalwareX-gen.20028.17631.exe

  • Size

    12KB

  • Sample

    241107-w4wahazkaj

  • MD5

    18208ba6920a74e8ca7bd244571ae383

  • SHA1

    61797d94d14935a588a799e8dc943355eb6f4022

  • SHA256

    1c30611e8e3a99301ffe1102d4f70c44fd2d7593878dcdf4178002777fe6e920

  • SHA512

    87fdb3de8301e8f2dd7b8601ee468e64387ce72616af21153d129f236bf28a6dd81e1ba905cd534281bdc94aca1d85898ec6e64170cab2bb58d3c608002f64f3

  • SSDEEP

    192:4Qt7If16ODCvuuYT6DI6kDmBwqVT9N62uEiGe5PF:A16O5CDIJDawqrklEiP5P

Malware Config

Extracted

Family

asyncrat

Version

AWS | RxR

Botnet

Default

C2

lastofdr51.mywire.org:6606

lastofdr51.mywire.org:7707

lastofdr51.mywire.org:8808

Nightmare15.strangled.net:6606

Nightmare15.strangled.net:7707

Nightmare15.strangled.net:8808

darkenssnight.ydns.eu:6606

darkenssnight.ydns.eu:7707

darkenssnight.ydns.eu:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    SystemUpdate.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      SecuriteInfo.com.Win32.MalwareX-gen.20028.17631.exe

    • Size

      12KB

    • MD5

      18208ba6920a74e8ca7bd244571ae383

    • SHA1

      61797d94d14935a588a799e8dc943355eb6f4022

    • SHA256

      1c30611e8e3a99301ffe1102d4f70c44fd2d7593878dcdf4178002777fe6e920

    • SHA512

      87fdb3de8301e8f2dd7b8601ee468e64387ce72616af21153d129f236bf28a6dd81e1ba905cd534281bdc94aca1d85898ec6e64170cab2bb58d3c608002f64f3

    • SSDEEP

      192:4Qt7If16ODCvuuYT6DI6kDmBwqVT9N62uEiGe5PF:A16O5CDIJDawqrklEiP5P

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks