Overview

overview

10

Static

static

10

Loader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Loader.exe

  • Size

    74KB

  • Sample

    241203-3mp6gswkbk

  • MD5

    7a545dbf06e65f7f17f04ae0f5153e0e

  • SHA1

    ab20193637edd250eac59fd71b6ea2b7a0faaad4

  • SHA256

    c3556cd1169de28cb9f6ba3a06a875f756b1bbadfb51b7ce00c92f23d2cd4f5d

  • SHA512

    98a56663c90195b0b22df4dcfd72cc4717e445d5eaa2f4571443becbe38a77121835073cbf56377f5cc11849e160dbe9e156fcff8a3fab2efd9aa97a1876d0d1

  • SSDEEP

    1536:wUKUcxoyR1CriPMVzrqVBYgImH1bz/mmB4Qzc2EVclN:wUzcxoyXkiPMVzrqVHH1bz/4QD2Y

Score
10/10
asyncratdefaultdiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

66.66.146.74:9511

Mutex

8906005788005HTGF

Attributes
  • delay

    1

  • install

    true

  • install_file

    WINDOWS.exe

  • install_folder

    %AppData%

aes.plain
1
XesRYlphPGk0fRPQHQW5A8dUZSHRkkUq

Targets

    • Target

      Loader.exe

    • Size

      74KB

    • MD5

      7a545dbf06e65f7f17f04ae0f5153e0e

    • SHA1

      ab20193637edd250eac59fd71b6ea2b7a0faaad4

    • SHA256

      c3556cd1169de28cb9f6ba3a06a875f756b1bbadfb51b7ce00c92f23d2cd4f5d

    • SHA512

      98a56663c90195b0b22df4dcfd72cc4717e445d5eaa2f4571443becbe38a77121835073cbf56377f5cc11849e160dbe9e156fcff8a3fab2efd9aa97a1876d0d1

    • SSDEEP

      1536:wUKUcxoyR1CriPMVzrqVBYgImH1bz/mmB4Qzc2EVclN:wUzcxoyXkiPMVzrqVHH1bz/4QD2Y

    Score
    10/10
    asyncratdefaultdiscoveryevasionexecutionpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

      rat

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.