Resubmissions

22/04/2025, 03:30

250422-d2y99swpt7 10

22/04/2025, 03:30

250422-d2k3msswdz 3

General

  • Target

    HWID-Full-Hwid-Spoofer-V6-main.zip

  • Size

    1.1MB

  • Sample

    250422-d2y99swpt7

  • MD5

    950c8dfd0026c47d1848693bb8b2e95a

  • SHA1

    bbb28ea46f17485428ca7b06bf658d0dbb394af0

  • SHA256

    68a69f16a889ad43022b8fcc385208ebef112a021ff40be2b715b5bd41d47b98

  • SHA512

    c5aabc692b36db3e2319e11ec2687e57d0cd61a0bc4e5ca87483684614b3bf61176ec8740a0f3faa8c827d134d0193eea36ef891db8a69e8882cba1ba507247a

  • SSDEEP

    24576:9Edyg/L/xme9GelcXme/JPKhKoPEJqScLuOg/D3I:9CykYe9tCmQPQZKoLuf/D3I

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

217.64.31.3:8808

217.64.31.3:8437

Mutex

Windows System Guard Runtime

Attributes
  • delay

    3

  • install

    false

  • install_file

    Windows Session Manager

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      HWID-Full-Hwid-Spoofer-V6-main/Spoofer V2/HwidSpoofer rcs/Hwid Spoofe‮nls..scr

    • Size

      799KB

    • MD5

      98d7999986d63fbd914bddc3d7b7ecf9

    • SHA1

      7c528fb3cc427791482f7a84923a21621cfb9675

    • SHA256

      144a026bb63a29b36a3437094c4f53cf1cb135edcbe15ab06e35fb8759129bfc

    • SHA512

      13bb42bf2078b3407af5786e9c1d057a306cba561519f905e4ba3fa1acaf8687551c70941775daa89394384808b6524659cda354a715e5ab3c3cba558c065616

    • SSDEEP

      12288:v41SrH22qla5w/yXbxixFcRMFQIkeNCSo9mbX8:v0SrH0MW/IbxiYCQIkeNCSBQ

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect PureCrypter injector

    • Modifies WinLogon for persistence

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • Purecrypter family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Suspicious use of SetThreadContext

    • Target

      HWID-Full-Hwid-Spoofer-V6-main/Spoofer V2/HwidSpoofer rcs/imgui/imgui_widgets.cpp

    • Size

      400KB

    • MD5

      45a544786c02b499b7156044d1671905

    • SHA1

      ecdd2ccefeab70ffa1dd2a7a15fc0ccd6719b7d6

    • SHA256

      ad445f6d25dc2ae970526b82c8a76c493fb5108a0b087b718c67fddc3dd7f29e

    • SHA512

      d6a1898366d99a445dbddaf21eda40b0552ad22f6f496813f1b9ceb2d3d584b38a4bfe88ae8838e569d1a8547f2dc220721169ccd9a31dfb70f0bcded21b2d0b

    • SSDEEP

      6144:74so43lXq5XlM1IDaqsaMM2MQ/VauXV0fZH:74so43lXq5XlCMMM2MQtauX6fZ

    Score
    1/10

MITRE ATT&CK Enterprise v16

Tasks