Overview

overview

10

Static

static

3

1.rar

windows10-2004-x64

10

0oj3.exe

windows10-2004-x64

10

Config.ini

windows10-2004-x64

1

interception.dll

windows10-2004-x64

1

libcrypto-3-x64.dll

windows10-2004-x64

1

onnxruntime.dll

windows10-2004-x64

1

opencv_world490.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.rar

  • Size

    52.2MB

  • Sample

    241229-z25myaxmhl

  • MD5

    59f794fea5bfd53feb55c754cf2b1a52

  • SHA1

    2878304c317d05daff6f30de640ab64742b2dd77

  • SHA256

    0c4b7a3670f4ef5f7ba2d7e820cb3df837a72c08a4d039768b50617c06983308

  • SHA512

    2b48c5160a7d2ec0c67c1ed119e666a8a509f64b43f94835a77041e58d025dfcc0df7a969d2cf83c9a1453fd9e5f0f4fadaf7975c4e1255b89f866fac785fc6b

  • SSDEEP

    786432:SRbg1VYxvtPUpHOL7Of0Ub+yoAoxGfMvJLniIroQtC311gqkYdGYD0AWWQQHp22C:SBTdL6f0UbnoA+LzZgqxQHQQs2pemJC

Score
10/10
asyncratservicecredential_accessdefense_evasiondiscoveryexecutionpersistenceratstealer

Malware Config

Extracted

Family

asyncrat

Version

0.6.1

Botnet

service

C2

193.57.137.78:5555

Mutex

Q8ghiNEV5vpA

Attributes
  • delay

    3

  • install

    true

  • install_file

    cmd.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      1.rar

    • Size

      52.2MB

    • MD5

      59f794fea5bfd53feb55c754cf2b1a52

    • SHA1

      2878304c317d05daff6f30de640ab64742b2dd77

    • SHA256

      0c4b7a3670f4ef5f7ba2d7e820cb3df837a72c08a4d039768b50617c06983308

    • SHA512

      2b48c5160a7d2ec0c67c1ed119e666a8a509f64b43f94835a77041e58d025dfcc0df7a969d2cf83c9a1453fd9e5f0f4fadaf7975c4e1255b89f866fac785fc6b

    • SSDEEP

      786432:SRbg1VYxvtPUpHOL7Of0Ub+yoAoxGfMvJLniIroQtC311gqkYdGYD0AWWQQHp22C:SBTdL6f0UbnoA+LzZgqxQHQQs2pemJC

    Score
    10/10
    asyncratservicecredential_accessdefense_evasiondiscoveryexecutionpersistenceratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Creates new service(s)

      persistenceexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      0oj3.exe

    • Size

      37.0MB

    • MD5

      d57050cc8f1d71bb068a181301146855

    • SHA1

      564deb2344ea43dd519ee0000642cb0ced55da83

    • SHA256

      08058004805b7054e6dd6c55e1aebfa356cddd46167aae7de4322d4c3ae79db1

    • SHA512

      43af8130465347d06e23838bc652a94b8d06518d81c40f32f87d78d87a485ae23b13d7585f3e05f0231b9f6f59e383b98617b268519d1c6742b7309c1da494e4

    • SSDEEP

      786432:b/gO+cE2+qOnY9ZBLcf5jJGlbarkt0PAmyrL+rXrO37:bEcEGbLwjubcktYbO37

    Score
    10/10
    asyncratservicedefense_evasionexecutionpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Creates new service(s)

      persistenceexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2

    • Target

      Config.ini

    • Size

      2KB

    • MD5

      33091622dd3fc6b4392accc1486cd153

    • SHA1

      b454550bff6bd68cc7eee60b53524f100298dc35

    • SHA256

      9fa4f6cb0398d1ee1fd73b6d67a54f0aa8befd33cc0d211285b63061e0d89a51

    • SHA512

      3a4ee283f6ad4366aceea4082f5e82770f7bbbe81662080f6df34fdf729ed15eaff32167ae55c6b279980e5e4ac022608b9c093fbb05546d230c76b8ac1cc80a

    Score
    1/10
    behavioral3

    • Target

      interception.dll

    • Size

      11KB

    • MD5

      fe8b2a022297aa36a3546391221f635a

    • SHA1

      346e04907eb628372f459fbbf109b6cff57cac13

    • SHA256

      ab88164c11b1b48488772d4c3bfaa4509d5b0ae9dbc5a691dc4f96f0260443c8

    • SHA512

      fa203db607cb1154f7ac84e64b236b19ff29abab1b443609648ee3fafa53581c22420edd1f5ed2c522ab7f3c2577c73822eafbf143a8c80914a3061193b10a1c

    • SSDEEP

      192:wBKz1mGyRWIddjlkuSCqPDKSyFVzhveZhAk3M+j4sreC:EKsGyRhdtlkuSCLS8VcZhP344

    Score
    1/10
    behavioral4

    • Target

      libcrypto-3-x64.dll

    • Size

      4.5MB

    • MD5

      dc0b5510731cbf1cb12859b137efedfe

    • SHA1

      4925f0c77fd32cf2f8eab916d00872d0bc9324e2

    • SHA256

      fd92dbc1a720ef43d53a6c3536ab05ccc78b5efe768cc3624d4f7b3cf0d02132

    • SHA512

      1adc1e36445d1125703675b7a47beaef05992a2ef5051a6513973f16dee374bf72085ffb26d502295d1c69283a56578d8bb59b432f9087102c5bb5e93a49ddb4

    • SSDEEP

      98304:wl+kK7ppVSns2jW/aJPr4v1CPwDvt3uFGCC:ME7Xgns2jW/aJT4v1CPwDvt3uFGCC

    Score
    1/10
    behavioral5

    • Target

      onnxruntime.dll

    • Size

      11.0MB

    • MD5

      8c218c52a99f6c536438242dc99a8006

    • SHA1

      d31dc3ad0a9578975b4b0ed895d27d65d9768cc0

    • SHA256

      52f8ebe8f08f369a44fed6d1cb680c7c89169795e1c2949ee25b88b538ef0948

    • SHA512

      5163d8d81989fd45506d540ccdba990bf4e613dc6438841cb812d7c92069aa643aff509903595dd9fdf542cb580b8937bb6fa016e9f2d463958d37fbd5b7092e

    • SSDEEP

      49152:zmHgraNrq7OUb4XWiWfYS6r64dAyb8sXLwqLgD5W/2llE8ieFEryMYg8xgpLeqik:URswL7YW2j6nMUhxtpbL3Of2RLHWLZE

    Score
    1/10
    behavioral6

    • Target

      opencv_world490.dll

    • Size

      62.0MB

    • MD5

      45aa348d9487722dec3b6e6fcc3a7d96

    • SHA1

      6a1f66b321566c723fc956c0efb3cafa61bcffe8

    • SHA256

      3fd426744146afe5c714912068bd3d0fba2c7f66d2d44c34c750bd10c55d5795

    • SHA512

      af301f10918cc12cb50694332ccdeaa8c343ce69fb813f973f575d6c50dde90ab69ad1e211d22d5868d0532b1adf4859c56966bb4aee300110080a364100c84c

    • SSDEEP

      393216:pQ1Q1QUmWUcVTeSv6hz07JrwANw/MteylqZQPhU+Ux6o+LBnzMwLiAU0nUNDPrK:pPhJr9rUQznpnUF+

    Score
    1/10
    behavioral7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indicator Removal

1
T1070

Clear Windows Event Logs

1
T1070.001

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Windows Credential Manager

1
T1555.004

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks