Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #ASyncRAT #RTF #11882 #schtasks
- https://pastebin.com/ZZLkbeiH
- FAQ:
- https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
- https://gitlab.com/thoxy/stealerlib
- https://sslbl.abuse.ch/ssl-certificates/sha1/798d6f8e469e73ceae4dbeda4cf17743e3c65f3a/
- https://seclists.org/snort/2019/q2/283
- attack_vector
- --------------
- email attach .doc (RTF) > EQNEDT32 > GET > AppData\Roaming\SystemLT
- email_headers
- --------------
- Return-Path: <info@limcologistics.com.ua>
- Received: from cirrus.binally.gr (cirrus.binally.gr [95.211.140.98])
- To: undisclosed-recipients:;
- Subject: Запит - червень / липень
- X-PHP-Originating-Script: 0:rcube.php
- Date: Wed, 26 Jun 2019 09:13:39 +0100
- From: info@limcologistics.com.ua
- X-Sender: info@limcologistics.com.ua
- User-Agent: Roundcube Webmail/1.1.9
- files
- --------------
- SHA-256 cd2c2ec4dae718c538af12b8c35ef5771bafcb09187d57531829bbff7732a636
- File name Вложение без имени 005??.doc (таблиці.doc) [Rich Text Format data, version 1]
- File size 42.6 KB (43620 bytes)
- SHA-256 8422021070373be11ea9c932fc8df8472faa0767af027c7c357c81741aeb68d5
- File name payroll[1].exe [PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows]
- File size 204 KB (208896 bytes)
- SHA-256 f6d0bab22f47f76d7db51c3d0472f60f6cecb514e3a16d625e4fa4022548bfb5
- File name SystemLT [PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows]
- File size 530.57 KB (543304 bytes)
- activity
- **************
- (!)
- schtasks.exe /create /sc minute /mo 1 /tn SystemLT /tr C:\Users\operator\AppData\Roaming\SystemLT
- C2 185.247.228.69 kingtexs-tvv[.] com [AsyncRAT Server CA0]
- netwrk
- --------------
- [ssl]
- 104.27.142.252 m.put[.] re Client Hello
- 104.18.48.20 paste[.] ee Client Hello
- comp
- --------------
- EQNEDT32.EXE 2800 TCP localhost 49232 104.27.143.252 443 ESTABLISHED
- SystemLT 1744 TCP localhost 49235 104.18.49.20 443 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- [another context]
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"
- C:\Users\operator\AppData\Roaming\404625.exe
- C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn SystemLT /tr C:\Users\operator\AppData\Roaming\SystemLT
- [another context]
- C:\Windows\system32\taskeng.exe taskeng.exe {3C8F9EDA-746D-4EED-B74B-ABF7D5A44361} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
- C:\Users\operator\AppData\Roaming\SystemLT
- persist
- --------------
- Task Scheduler
- \SystemLT Microsoft Corporation 5.8.9428.42177(win7sp1_rtm.101119-1850)
- c:\users\operator\appdata\roaming\systemlt 26.06.2019 6:08
- drop
- --------------
- C:\tmp\Temporary Internet Files\Content.IE5\F5G962KA\payroll[1].exe
- C:\Users\operator\AppData\Roaming\404625.exe
- C:\Users\operator\AppData\Roaming\SystemLT
- # # #
- https://www.virustotal.com/gui/file/cd2c2ec4dae718c538af12b8c35ef5771bafcb09187d57531829bbff7732a636/details
- https://www.virustotal.com/gui/file/8422021070373be11ea9c932fc8df8472faa0767af027c7c357c81741aeb68d5/details
- https://analyze.intezer.com/#/analyses/12569fca-c698-4ead-b472-81c7f2bd2545
- https://www.virustotal.com/gui/file/f6d0bab22f47f76d7db51c3d0472f60f6cecb514e3a16d625e4fa4022548bfb5/details
- https://analyze.intezer.com/#/analyses/f033a0e3-bd36-416e-bca6-1562703b98c8
- VR
- passwd_stealing_capabilities
- --------------
- For now it support :
- Chrome (Chrome, Chromium, Opera, Vivaldi, Brave, Torch, Comodo, Xpom, Orbitum, Kometa, Amigo and Nichrome) ²
- Firefox ²
- IE10 / Edge
- YARA Rule for C2 communication
- --------------
- # --------------------
- # Title: Win.Trojan.ASync RAT
- # Reference: Research
- # Tests: pcaps
- # Yara:
- # - MALWARE_Win_Trojan_AsyncRAT
- # ClamAV:
- # - MALWARE_Win.Trojan.AsyncRAT
- # Hashes:
- # - 818fa711c47af91faede1311d5a0ef60410899358cce18ce98aa22e412d1626d
- # Note:
- # - AsyncRAT Version: 0.4.9B
- # - ssl_state:server_hello may not work, so it is removed from the Snort rule.
- # - Packed with AutoIt.
- # - Snort signature does not cover non-SSL variants.
- # - Exisitng Yara/ClamAV signature hits:
- # 1. INDICATOR_Binary_References_Sandbox_Hooking_DLL
- # 2. INDICATOR_Binary_References_Many_Builtin_Windows_Executables
- # 3. INDICATOR_Binary_References_Disabling_Windows_Defender_PWSH_Aritfacts
- alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Async RAT variant SSL certificate exchange";
- flow:to_client,established; content:"|55 04 03 0C 12|AsyncRAT Server CA"; fast_pattern:only; metadata:ruleset
- community, service ssl; classtype:trojan-activity; sid:8000660; rev:1;)
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement