General

  • Target

    PO-341999-PDF.exe

  • Size

    1.6MB

  • Sample

    241114-p724wsynfw

  • MD5

    166d084ca362984e8c8759c77644963e

  • SHA1

    2a020dd02a2882c9a785ea5f81e435413f90bf36

  • SHA256

    6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e

  • SHA512

    ddce968417460650561dcbfd9d61c413fc5bff892a4b0263aeed911f07954d57d1413af35a73d45edbdb4975e59eecbb782be20b5097c2e781295e95b08c770a

  • SSDEEP

    12288:Pvql1LFyp0Qgxun0rYe6MrQKrKFPyvrvA7fP:gL8/gx16MrQKrgPyvbA7P

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

95.179.135.209:1989

Mutex

FhYe09MKTBbQ

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      PO-341999-PDF.exe

    • Size

      1.6MB

    • MD5

      166d084ca362984e8c8759c77644963e

    • SHA1

      2a020dd02a2882c9a785ea5f81e435413f90bf36

    • SHA256

      6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e

    • SHA512

      ddce968417460650561dcbfd9d61c413fc5bff892a4b0263aeed911f07954d57d1413af35a73d45edbdb4975e59eecbb782be20b5097c2e781295e95b08c770a

    • SSDEEP

      12288:Pvql1LFyp0Qgxun0rYe6MrQKrKFPyvrvA7fP:gL8/gx16MrQKrgPyvbA7P

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks