Overview

overview

10

Static

static

1

ORDER_2538...DF.rar

windows7-x64

1

ORDER_2538...DF.rar

windows10-2004-x64

1

ORDER_2538...PDF.js

windows7-x64

10

ORDER_2538...PDF.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER_253890-5645FD.PDF.001

  • Size

    97KB

  • Sample

    250328-l97wdawpz2

  • MD5

    fd8b56b3605ed617f5d98e77ee381719

  • SHA1

    ad519ff9506ff06dc04bd28d5f22d5f5c0721d44

  • SHA256

    9ea5c3c4853cb66cb692d2f1bd8d6405ca469487e69a6bac3a83a0c1ef64d784

  • SHA512

    eafaf8936d9fc8dc84ef8d7add5675861c9360ee252ea51078f1e1ea39d84563098d2d5ad2a2e4b6f967a67f61ef21716de909afdc1e49ff3f9ea481db32f57a

  • SSDEEP

    1536:+nd8Mu0gM8lx8GkWSWgNN9DXhCIPFKbM7sYyZu8ZdLhCW4rVSJmhvUHnBRBRkM2k:um0SxXkW0HDXhFPob8KDZiTuHnAMkWv

Score
10/10
asyncratwshratmarch-25-5discoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25-5

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain
1
LNZNNUbAxoAzKqKdnwpw7TfW4xO5MEYf

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Targets

    • Target

      ORDER_253890-5645FD.PDF.001

    • Size

      97KB

    • MD5

      fd8b56b3605ed617f5d98e77ee381719

    • SHA1

      ad519ff9506ff06dc04bd28d5f22d5f5c0721d44

    • SHA256

      9ea5c3c4853cb66cb692d2f1bd8d6405ca469487e69a6bac3a83a0c1ef64d784

    • SHA512

      eafaf8936d9fc8dc84ef8d7add5675861c9360ee252ea51078f1e1ea39d84563098d2d5ad2a2e4b6f967a67f61ef21716de909afdc1e49ff3f9ea481db32f57a

    • SSDEEP

      1536:+nd8Mu0gM8lx8GkWSWgNN9DXhCIPFKbM7sYyZu8ZdLhCW4rVSJmhvUHnBRBRkM2k:um0SxXkW0HDXhFPob8KDZiTuHnAMkWv

    Score
    1/10
    behavioral1behavioral2

    • Target

      ORDER_253890-5645FD.PDF.js

    • Size

      535KB

    • MD5

      930368ea6f7cd3ed52e3c11ce5a8b84b

    • SHA1

      14205534d961366b4b5650a0bd751366d40e812d

    • SHA256

      890ff9e6467fd6f448189cc6cf0e0f048d116b8fd289cacc6460215702b7b45e

    • SHA512

      5bc116514e447a9edb47c85aa70a2f900241e3920bd8bacf374c78ee6caaa46c4525b7077ca44a69790b21189d48ae74efdd7993db1d728d09c419706c7db629

    • SSDEEP

      3072:vMRy93zMk/wFRTiNy49mDvVHq07vg6fwTuP1c3TS:o82T8UJ7vg6fS0Se

    Score
    10/10
    asyncratwshratmarch-25-5discoveryexecutionpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Wshrat family

      wshrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.