General
-
Target
Widnow Defender.exe
-
Size
207KB
-
Sample
241209-2mtm8syqdq
-
MD5
90763e11a09407343e909f8687e07b2f
-
SHA1
a4b0c206643de5e3e2064029f3d443a850c584ce
-
SHA256
401c3e1a8e1166488e1e6e69e9eb0965e80be455465861d8502b2ce2f5e5e6bd
-
SHA512
b4a2dc5b27c8ba06f3d1069689d2ea7cbc12f8dc8118caa8f0772cea8ecab9c1945c23be7543f87955c28a1b2221b5aabfe3e9db14c6926c05276efa41591918
-
SSDEEP
6144:NC8VYacCrZr5lUUQWImNRxh+G9qYQyevtxrIk6ReRbK:NqdYrtRxh+G9DQyitxrIN
Malware Config
Targets
-
-
Target
Widnow Defender.exe
-
Size
207KB
-
MD5
90763e11a09407343e909f8687e07b2f
-
SHA1
a4b0c206643de5e3e2064029f3d443a850c584ce
-
SHA256
401c3e1a8e1166488e1e6e69e9eb0965e80be455465861d8502b2ce2f5e5e6bd
-
SHA512
b4a2dc5b27c8ba06f3d1069689d2ea7cbc12f8dc8118caa8f0772cea8ecab9c1945c23be7543f87955c28a1b2221b5aabfe3e9db14c6926c05276efa41591918
-
SSDEEP
6144:NC8VYacCrZr5lUUQWImNRxh+G9qYQyevtxrIk6ReRbK:NqdYrtRxh+G9DQyitxrIN
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1