Overview

overview

10

Static

static

3

IObitUnloc...er.dll

windows7-x64

3

IObitUnloc...er.dll

windows10-2004-x64

3

IObitUnloc...er.exe

windows7-x64

7

IObitUnloc...er.exe

windows10-2004-x64

7

IObitUnloc...er.sys

windows7-x64

1

IObitUnloc...er.sys

windows10-2004-x64

1

IObitUnloc...er.vbs

windows7-x64

3

IObitUnloc...er.vbs

windows10-2004-x64

7

IObitUnloc...rt.ps1

windows7-x64

10

IObitUnloc...rt.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    IObitUnlocker.zip

  • Size

    1.1MB

  • Sample

    241221-x7qpvsxmcs

  • MD5

    2a12de940be492fa9f65b77903c455a2

  • SHA1

    f790289de300cc53dbe9a8da247c907137e5b005

  • SHA256

    cd17fd2149133c39e5bf2f32f4526c2c06a8b556f4b10cbb03b799f52dfe4cde

  • SHA512

    907d0110e60fda1027ca56200ece3d19116671fde0d5885ebcd87532ba2dfbe0d3d75cfec4e36dd4a49e3b986c7191c58717413f76d8c8d3c7e6835fa5bd7f8e

  • SSDEEP

    24576:Ar2zX0IXeoyPH/e23STj58r/+KId/rbA2+wrAYJ+SzMyAHQ:AeXFJYfxmI/Wdo2jAB2kHQ

Score
10/10
asyncratdefaultdiscoveryexecutionphishingrat

Malware Config

Extracted

Family

asyncrat

Version

A 14

Botnet

Default

C2

Egypt2.camdvr.org:301

Mutex

MaterxMutex_Egypt2

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      IObitUnlocker/IObitUnlocker.dll

    • Size

      71KB

    • MD5

      e1a4327af3cd8ca866996f472f0ff93a

    • SHA1

      cfea8426ef8fab4136055401152821a19f908d45

    • SHA256

      5f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901

    • SHA512

      745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280

    • SSDEEP

      768:BxKNeWSsRLrVmxJG0Yv3uVKvtbQuIkuU+W2oM/hIYFHxfAKfxKn2DEDSUwQNyuJO:ugr2Lr071OUKFOk12oilFHyKyXMuJwIG

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      IObitUnlocker/IObitUnlocker.exe

    • Size

      2.3MB

    • MD5

      9303575597168ef11790500b29279f56

    • SHA1

      bfab0ea30c5959fda893b9ddc6a348a4f47f8677

    • SHA256

      0a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7

    • SHA512

      8e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0

    • SSDEEP

      24576:8S/WgTT/eC4PwRXrAREEkyuCmLMAefac2mhPiT8b2DeXYJAmzQDFQEkXAFxZSD1V:zTT/eC2wpBBseA/FsZDW8nTeCPGXOy4

    Score
    7/10
    discoveryphishing

    • A potential corporate email address has been identified in the URL: Montserratwght@900

      phishing
    behavioral3behavioral4

    • Target

      IObitUnlocker/IObitUnlocker.sys

    • Size

      65KB

    • MD5

      47aa03a10ac3a407f8f30f1088edcbc9

    • SHA1

      b5d78a1d3ae93bd343c6d65e64c0945d1d558758

    • SHA256

      c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66

    • SHA512

      3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101

    • SSDEEP

      1536:h0xAAJD9GvR6+SmcoWtW6RxJUVe9UVKghwR1xn:hyDw6+SmcoW0ixyVeWV8RLn

    Score
    1/10
    behavioral5behavioral6

    • Target

      IObitUnlocker/Loader.vbs

    • Size

      155B

    • MD5

      3781eced7bdb501738a60e3f926ae42a

    • SHA1

      c65ca3f8ee5fd4f6dad689cc43bde301a451ec2c

    • SHA256

      b343abd677e362c3ae1e573bf7c43bf476a8e97e67d7758328a51f30daaf4d95

    • SHA512

      854dc0f2b8d2d4bcb7bb736d2a9c7f70132d069aedffb0e0952fa2d3d57992ae8cda02ea49214f40f4a05b30ac6fea145901fe6c72f257b43c461be138ce6971

    Score
    7/10
    execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7behavioral8

    • Target

      IObitUnlocker/Report.ps1

    • Size

      457KB

    • MD5

      40e7960be05c7c1f64d7157235171ce6

    • SHA1

      79df02a409ba3721415e3d2755e467c10f9c698e

    • SHA256

      5db5a2e88209a2e2901c8e9e74ad794be31c035a583ec62e73b5e8e22d5df0f0

    • SHA512

      6801ed81e4c87b1328906befb506d598ea3eeaec3a835744b3a681104efca02d92db5228189b9859741a380ec54fdf98048f37d690396cfb9b2a7cabe487e2e9

    • SSDEEP

      768:FpcM++5necrPLkSqmwEepmixWhkPsc14VcKQ:w

    Score
    10/10
    asyncratdefaultdiscoveryexecutionrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks