General
-
Target
corrupt perm.exe
-
Size
5.9MB
-
Sample
241212-a7abjsvjfx
-
MD5
e353a269346c7d04f4fe57b2d7b56691
-
SHA1
75cee47332191ae6b4efae532898ed9b03f3f8f2
-
SHA256
d716ea3a153302a94113da989bb30886eed6fb48ae80d851dbdfe2ed4161a2d2
-
SHA512
34f54157ae617ec4bec534ba646af88eadf71b956e70fa36b5c10cd0d5726656e91a39e3e41e90440b9112f029e9a7d3f99ecd7f08c4880a7c034119eb52a17f
-
SSDEEP
98304:dvmoDUN43Wlmd+jOjFgFEblNHYSxTpirSHcUR43zrwkdA8QJCKC7bN3mb6aTtMFy:dvumWo8OjmFwDRxtYSHdK34kdai7bN3Q
Behavioral task
behavioral1
Sample
corrupt perm.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
corrupt perm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
7+vzr)�.pyc
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
7+vzr)�.pyc
Resource
win10v2004-20241007-en
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
P5sEq6S9MXOZ
-
delay
3
-
install
true
-
install_file
vixen.exe
-
install_folder
%AppData%
Targets
-
-
Target
corrupt perm.exe
-
Size
5.9MB
-
MD5
e353a269346c7d04f4fe57b2d7b56691
-
SHA1
75cee47332191ae6b4efae532898ed9b03f3f8f2
-
SHA256
d716ea3a153302a94113da989bb30886eed6fb48ae80d851dbdfe2ed4161a2d2
-
SHA512
34f54157ae617ec4bec534ba646af88eadf71b956e70fa36b5c10cd0d5726656e91a39e3e41e90440b9112f029e9a7d3f99ecd7f08c4880a7c034119eb52a17f
-
SSDEEP
98304:dvmoDUN43Wlmd+jOjFgFEblNHYSxTpirSHcUR43zrwkdA8QJCKC7bN3mb6aTtMFy:dvumWo8OjmFwDRxtYSHdK34kdai7bN3Q
-
Asyncrat family
-
Async RAT payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
7+vzr)�.pyc
-
Size
857B
-
MD5
807c53955a9e963597ffcdf0cc8c77a0
-
SHA1
0683ea4fb92e5257522769256cc81d8a3d12d120
-
SHA256
0e109c4d87c4cd5fc2f538514a4bb24aac1f93c31a076d4afffde0111f1f93bf
-
SHA512
12ee721a4dbcaa996e3471ba946401442b248cf7c4636ccb90280245fc9cd67a101259199f2c302351f93dbcf53af64b83dcaaa00809725aefde18961a9f0506
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1