General

  • Target

    kids.bat

  • Size

    368B

  • Sample

    241121-3cy1mswrep

  • MD5

    77e20cc9b8332536c63147d861cf554c

  • SHA1

    b068597a13cc0dafc3de9d98595a0bf479b8227f

  • SHA256

    7a3fd30d774152069744411923370c4502a6d07847c7ac9377602741fb4c1859

  • SHA512

    4c639c81461fab44c2e66859798da1263ad228e463b7d260c226f812d56eddcd5b03c02d4ea10ac025803f2ef05d7a4d7fd06436c35636248770ad0ec91f0568

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes
  • delay

    1

  • install

    true

  • install_file

    WINDOWS.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      kids.bat

    • Size

      368B

    • MD5

      77e20cc9b8332536c63147d861cf554c

    • SHA1

      b068597a13cc0dafc3de9d98595a0bf479b8227f

    • SHA256

      7a3fd30d774152069744411923370c4502a6d07847c7ac9377602741fb4c1859

    • SHA512

      4c639c81461fab44c2e66859798da1263ad228e463b7d260c226f812d56eddcd5b03c02d4ea10ac025803f2ef05d7a4d7fd06436c35636248770ad0ec91f0568

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks