General
-
Target
9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236
-
Size
1018KB
-
Sample
250421-x2xwzssxbt
-
MD5
eceb6e1e8aa84e6501589dc1d3deb419
-
SHA1
467a412530d7af26b01ec278d7d325e4b6dd047a
-
SHA256
9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236
-
SHA512
be256564941a092d73b6931dfa0a238b17d68c69e1742b98844e43fa3010db83bf9d52922912e127cd9b6cd1bbf9ecd39c4a36c2da676ca060bf21ffef8b27bf
-
SSDEEP
24576:pji1+TKiRzC0NqgGApfkxIpePcvkTR8cvkTAU:pu1+miRnQjALpe0vkTNvkTN
Malware Config
Extracted
asyncrat
0.5.8
Default
jvjv2044duck33.duckdns.org:8808
0fC8zJGwBBNm
-
delay
3
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
Extracted
darkcomet
Guest16
jvjv2044duck33.duckdns.org:1604
DC_MUTEX-CK7UE3N
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Jp74nsvbhc4i
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236
-
Size
1018KB
-
MD5
eceb6e1e8aa84e6501589dc1d3deb419
-
SHA1
467a412530d7af26b01ec278d7d325e4b6dd047a
-
SHA256
9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236
-
SHA512
be256564941a092d73b6931dfa0a238b17d68c69e1742b98844e43fa3010db83bf9d52922912e127cd9b6cd1bbf9ecd39c4a36c2da676ca060bf21ffef8b27bf
-
SSDEEP
24576:pji1+TKiRzC0NqgGApfkxIpePcvkTR8cvkTAU:pu1+miRnQjALpe0vkTNvkTN
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Async RAT payload
-
Disables Task Manager via registry modification
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4