General

  • Target

    corrupt perm.exe

  • Size

    5.9MB

  • Sample

    241212-a7abjsvjfx

  • MD5

    e353a269346c7d04f4fe57b2d7b56691

  • SHA1

    75cee47332191ae6b4efae532898ed9b03f3f8f2

  • SHA256

    d716ea3a153302a94113da989bb30886eed6fb48ae80d851dbdfe2ed4161a2d2

  • SHA512

    34f54157ae617ec4bec534ba646af88eadf71b956e70fa36b5c10cd0d5726656e91a39e3e41e90440b9112f029e9a7d3f99ecd7f08c4880a7c034119eb52a17f

  • SSDEEP

    98304:dvmoDUN43Wlmd+jOjFgFEblNHYSxTpirSHcUR43zrwkdA8QJCKC7bN3mb6aTtMFy:dvumWo8OjmFwDRxtYSHdK34kdai7bN3Q

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

P5sEq6S9MXOZ

Attributes
  • delay

    3

  • install

    true

  • install_file

    vixen.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      corrupt perm.exe

    • Size

      5.9MB

    • MD5

      e353a269346c7d04f4fe57b2d7b56691

    • SHA1

      75cee47332191ae6b4efae532898ed9b03f3f8f2

    • SHA256

      d716ea3a153302a94113da989bb30886eed6fb48ae80d851dbdfe2ed4161a2d2

    • SHA512

      34f54157ae617ec4bec534ba646af88eadf71b956e70fa36b5c10cd0d5726656e91a39e3e41e90440b9112f029e9a7d3f99ecd7f08c4880a7c034119eb52a17f

    • SSDEEP

      98304:dvmoDUN43Wlmd+jOjFgFEblNHYSxTpirSHcUR43zrwkdA8QJCKC7bN3mb6aTtMFy:dvumWo8OjmFwDRxtYSHdK34kdai7bN3Q

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      7+vzr)�.pyc

    • Size

      857B

    • MD5

      807c53955a9e963597ffcdf0cc8c77a0

    • SHA1

      0683ea4fb92e5257522769256cc81d8a3d12d120

    • SHA256

      0e109c4d87c4cd5fc2f538514a4bb24aac1f93c31a076d4afffde0111f1f93bf

    • SHA512

      12ee721a4dbcaa996e3471ba946401442b248cf7c4636ccb90280245fc9cd67a101259199f2c302351f93dbcf53af64b83dcaaa00809725aefde18961a9f0506

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks