General

  • Target

    2505_AIMr.exe_obf.zip

  • Size

    7.8MB

  • Sample

    241223-wsg9hawrhs

  • MD5

    eb2284f1d4b0c80a4af120bf08805d9d

  • SHA1

    5e396d73217368604e9c4fbb26885be3a0fc2516

  • SHA256

    2f8c83e9e893db21cc705847f9716706c34f714de4a28006d3fc83c3b8e5a56c

  • SHA512

    96edbb42f8aa95871d61e1fde718caf0f90da4e201afa7cce88d658979c193ac85c7fa92b9d3b218874f67262a7ea757b27f1c013ff3418b97fa01ceef67844d

  • SSDEEP

    196608:1wpzUSmk48xc1N+lyafUoE/ML7YfVoNcYkR100cr5m:10WX1AevU3cAbkReU

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

jt8iyre.localto.net:2101

jt8iyre.localto.net:55644

Mutex

AbAUwI3PK3e3

Attributes
  • delay

    3

  • install

    false

  • install_file

    winserve.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      4971_output.exe

    • Size

      10.9MB

    • MD5

      3081ad9d2fb1f02a8cddd261ed95c27a

    • SHA1

      06d417baa8a51b0ce5abda41585ec5bd1387df01

    • SHA256

      78c7160b3deab315fa79208f9f144f59cb25001cac18354b11050393c8bf9675

    • SHA512

      60baba1096d8efd05ec911e737ee5ede8e844266c23eb12a00bd1ce003ae53539dcf1378990790150f0a14a92fe32be17d3772659d0acaede2593c5572b7a23b

    • SSDEEP

      49152:HcrQofT6qeSsPJhDx8IhdyFNOPHf0fR0K049XwIVhaT6hAp1uMmRgDidZL4mb8F2:8rIqeSsP

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks