General

  • Target

    ce579346b070be66569b7b4906099f5256b9e3e8bfe78073a654bb83324bda53

  • Size

    456KB

  • Sample

    241212-k5czrs1qan

  • MD5

    95927fb1e8a09af56471251316609c3e

  • SHA1

    68261b0121625ff95bc564eab463059e50e18b0e

  • SHA256

    ce579346b070be66569b7b4906099f5256b9e3e8bfe78073a654bb83324bda53

  • SHA512

    744a61f65243753acea76db3d562af71801900e065ca6669be05643087cb5f647f00fa5c4d8db8fd15f50b4687fc25baa1382dfc3e7a2add06471b54f14623e1

  • SSDEEP

    12288:dS8GoY2QBXxlc+x8qmkj6ulTpZhXpMudlp4eEPTKuJTL:dxLmXxLv7XlNHtp4FKuJTL

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

69.174.100.131:6606

Mutex

abkZfsCYRZhk

Attributes
  • delay

    10

  • install

    false

  • install_file

    order.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Targets

    • Target

      Payment.exe

    • Size

      940KB

    • MD5

      ad45a46cc2809a1244ba4a05b2411096

    • SHA1

      873324976c33ea8870e5fd68a5913a924b2932ae

    • SHA256

      1ca25ad8f6c161c67a4b78ab8aca6f8795210dfe17555d5448302d5054af3f0b

    • SHA512

      e5eb407686c3fae6d2c26c20b789aa6427ef86d64acc19a611fb8a4b0d23112ed194bebbb1837610579498e9ec0bdfdc4871cd986d011b4e2279e6c819900e26

    • SSDEEP

      24576:fu6J33O0c+JY5UZ+XC0kGso6FaCSS4R1WY:pu0c++OCvkGs9FaCSSTY

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks