General

  • Target

    64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80.bat

  • Size

    2KB

  • Sample

    241123-cyg15ssjbr

  • MD5

    0e2fff554ddadc58aaff7978ec06aa32

  • SHA1

    b453b17905235ea96150c90711285f7879d3afc0

  • SHA256

    64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80

  • SHA512

    c54cc4c956dc733835d0d40d49377b23b8b63bfa118e0e9ed5bba18e2b2b5f4a33656cd5b75230cd7dec05a98a3bc4b84b429121cffe3644fff72fc628b83b76

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://109.199.101.109:770/xx.jpg

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

C2

samsalah1.freeddns.org:1005

Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80.bat

    • Size

      2KB

    • MD5

      0e2fff554ddadc58aaff7978ec06aa32

    • SHA1

      b453b17905235ea96150c90711285f7879d3afc0

    • SHA256

      64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80

    • SHA512

      c54cc4c956dc733835d0d40d49377b23b8b63bfa118e0e9ed5bba18e2b2b5f4a33656cd5b75230cd7dec05a98a3bc4b84b429121cffe3644fff72fc628b83b76

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks