Resubmissions
28-11-2024 20:34
241128-zcxwssvpdq 10General
-
Target
Infected.exe
-
Size
63KB
-
Sample
241128-zcxwssvpdq
-
MD5
033a95f31df91d6c986eb0351a7053b4
-
SHA1
c8945b0f9900fa37e654681e9e4a34aa4cb01e42
-
SHA256
685c5bf64885c072aadce5f178f4ec91b6b3dcea76391d59b64bf688e38985d6
-
SHA512
3c14096e54b3de9758f5a6aa2de369967aff87ad4e3a8f525fe2469440581011fefb10edfbd3c7088f5a93d9638a656d57c2feb6c14b7ab190230f07fa665795
-
SSDEEP
768:Uk/9PXn1w787gC8A+XvqazcBRL5JTk1+T4KSBGHmDbD/ph0oXPVTJ+FpSungpqKX:hR1gMdSJYUbdh9PdXungpqKmY7
Malware Config
Extracted
asyncrat
Default
default-hepatitis.gl.at.ply.gg:10820
-
delay
1
-
install
true
-
install_file
system.exe
-
install_folder
%AppData%
Targets
-
-
Target
Infected.exe
-
Size
63KB
-
MD5
033a95f31df91d6c986eb0351a7053b4
-
SHA1
c8945b0f9900fa37e654681e9e4a34aa4cb01e42
-
SHA256
685c5bf64885c072aadce5f178f4ec91b6b3dcea76391d59b64bf688e38985d6
-
SHA512
3c14096e54b3de9758f5a6aa2de369967aff87ad4e3a8f525fe2469440581011fefb10edfbd3c7088f5a93d9638a656d57c2feb6c14b7ab190230f07fa665795
-
SSDEEP
768:Uk/9PXn1w787gC8A+XvqazcBRL5JTk1+T4KSBGHmDbD/ph0oXPVTJ+FpSungpqKX:hR1gMdSJYUbdh9PdXungpqKmY7
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Modifies Windows Defender Real-time Protection settings
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
Async RAT payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Renames multiple (3163) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Enumerates processes with tasklist
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1