AsynRAT Trojan - Bill Payment (Pago de la factura)

Published: 2023-03-12. Last Updated: 2023-03-12 18:43:43 UTC
by Guy Bruneau (Version: 1)
2 comment(s)

This week the mail server quarantined this file FautraPago392023.gz. I did find it a bit strange after I extracted (gunzip) the file, there was no .exe extension associated with this file. The source and destination addresses are both blank without an actual email address.

After submitting the file to a sandbox, the following indicators were extracted:

  • The file dxkfngk.exe queries a list of running processes. 
  • This domain www.dnuocc[.]com & dnuocc[.]com is configured to access port: 1452,1432.
  • It uses Uses schtasks to add and modify task schedules with the following configuration:

C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "crssr" /tr '"C:\Users\user\AppData\Roaming\crssr.exe"'

Indicators Domains

www.dnuocc[.]com
dnuocc[.]com

Indicator IP

185.254.37.238

Indicators Files - SHA256

9d33cebf6b0dec41d47cad3163026d70b399113073615b8fbf25e5af4da48b4f FautraPago392023
89d7a9c65b8c702a2a1705363fede2fbdaa0d651f5fa24174a3628c5e3d982c6  FautraPago392023.gz
5C65E1361A5A58D5DD4C2EB8FBF599DBC817FAF9478F5560DE7D93E845F94B91 dxkfngk.exe
55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1 dxkfngk.sfx.exe
5C65E1361A5A58D5DD4C2EB8FBF599DBC817FAF9478F5560DE7D93E845F94B91 crssr.exe

[1] https://otx.alienvault.com/indicator/ip/185.254.37.238
[2] https://www.virustotal.com/gui/file/9d33cebf6b0dec41d47cad3163026d70b399113073615b8fbf25e5af4da48b4f
[3] https://www.virustotal.com/gui/file/55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1
[4] https://www.virustotal.com/gui/file/55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1
[5] https://www.virustotal.com/gui/file/5c65e1361a5a58d5dd4c2eb8fbf599dbc817faf9478f5560de7d93e845f94b91
[6] https://www.shodan.io/host/185.254.37.238
[7] https://cybergordon.com/result.html?id=09b5de5f-f625-496e-83ae-57a8002c0961

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

2 comment(s)

Comments

For some reason, IP adresses associated with Des Capital B.V. keep appearing in my web honeypot logs. (These have already been shared with the ISC honeypot API.)
Possible sigma for this activity (not tested; consider v1; validated on uncoder.io)
---BEGIN---
title: Persistence and Execution of AsynRAT via Scheduled Task
id: 88a0b240-4960-41be-89d6-239d5b67f326
status: experimental
description: AsynRAT Trojan - Bill Payment (Pago de la factura)
author: Matthew Kress-Weitenhagen, Guy Bruneau
date: 2023-03-12
references:
- https://isc.sans.edu/forums/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626/
- https://car.mitre.org/analytics/CAR-2013-01-002/
- https://attack.mitre.org/techniques/T1053/005/
tags:
- attack.persistence
- attack.t1053.005
- car.2013-01-002
logsource:
product: windows
service: security
category: process_creation
description: 'A scheduled task was created AND Process Creation for crssr.exe'
detection: # Full command: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "crssr" /tr '"C:\Users\user\AppData\Roaming\crssr.exe"'
selection1:
EventID: 4698
NewProcessName|endswith: \crssr.exe
CommandLine|contains: create
selection2:
EventID: 4688
NewProcessName|endswith: \schtasks.exe
CommandLine|contains: create
filter:
CommandLine|contains|all: # See schedule persistent rule with SYSTEM privileges
- sc
- rl
- tn
- crssr
- onlogon
condition: selection1 and selection2
falsepositives:
- Check for legitimate schtask creation.
level: medium
---END---

Diary Archives