General

  • Target

    8bd4e5638b1e7e663c793a1e53bc44ba23e671e1a9f77c8bd8d1928f971cb131

  • Size

    1.1MB

  • Sample

    241110-de471a1lgr

  • MD5

    9b825be916bc8914b9ffcf4f5426241c

  • SHA1

    587eae0d81d563668f25258711d47958b41ae4cb

  • SHA256

    8bd4e5638b1e7e663c793a1e53bc44ba23e671e1a9f77c8bd8d1928f971cb131

  • SHA512

    8cc12b0e52cbdd24c9809c311b942c530264d58e15f1aeeb1f51d3c219e3489b3ae8bc9457131ae302956c78b54aca1e611ba48a7cf6ca7e495588333ad348e3

  • SSDEEP

    24576:sgmyZEbdsW36Dfw7TNs9a7WFZgGdT8jANa/D1Gi:s9WEbBIaCGWFZQAqD7

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

isabelaflores.fun:7000

Mutex

ServicesMutex_qwqdanchun

Attributes
  • delay

    240

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      274e4c594cfadeda5b78076c2791ab57d35b6b9bab954c30a2053d17812e1aa5.exe

    • Size

      1.9MB

    • MD5

      73ce5f094321f2683b7846397b3d5a8c

    • SHA1

      d17102bc9d37a5ff9506dfbf94d0608378fae2c6

    • SHA256

      274e4c594cfadeda5b78076c2791ab57d35b6b9bab954c30a2053d17812e1aa5

    • SHA512

      20eac921ba5dbc25ac0b751c768540fb3d54b4b359ce638dd7168bf57e12c0450a1b42db0c90b59be49c84fad289ee5e7b5e3ac683d66664d0d5f1adccc89c8e

    • SSDEEP

      24576:oDlxLeM+sLqZS62SiyY4TWKaJTXogjqpn5WMAw3FKvKvPoxBoOux5lUA4X+he6P2:K3Ci334noyvnbzJ8eF

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • UAC bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks