AsynRAT Trojan - Bill Payment (Pago de la factura)
This week the mail server quarantined this file FautraPago392023.gz. I did find it a bit strange after I extracted (gunzip) the file, there was no .exe extension associated with this file. The source and destination addresses are both blank without an actual email address.
After submitting the file to a sandbox, the following indicators were extracted:
- The file dxkfngk.exe queries a list of running processes.
- This domain www.dnuocc[.]com & dnuocc[.]com is configured to access port: 1452,1432.
- It uses Uses schtasks to add and modify task schedules with the following configuration:
C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "crssr" /tr '"C:\Users\user\AppData\Roaming\crssr.exe"'
Indicators Domains
www.dnuocc[.]com
dnuocc[.]com
Indicator IP
185.254.37.238
Indicators Files - SHA256
9d33cebf6b0dec41d47cad3163026d70b399113073615b8fbf25e5af4da48b4f FautraPago392023
89d7a9c65b8c702a2a1705363fede2fbdaa0d651f5fa24174a3628c5e3d982c6 FautraPago392023.gz
5C65E1361A5A58D5DD4C2EB8FBF599DBC817FAF9478F5560DE7D93E845F94B91 dxkfngk.exe
55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1 dxkfngk.sfx.exe
5C65E1361A5A58D5DD4C2EB8FBF599DBC817FAF9478F5560DE7D93E845F94B91 crssr.exe
[1] https://otx.alienvault.com/indicator/ip/185.254.37.238
[2] https://www.virustotal.com/gui/file/9d33cebf6b0dec41d47cad3163026d70b399113073615b8fbf25e5af4da48b4f
[3] https://www.virustotal.com/gui/file/55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1
[4] https://www.virustotal.com/gui/file/55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1
[5] https://www.virustotal.com/gui/file/5c65e1361a5a58d5dd4c2eb8fbf599dbc817faf9478f5560de7d93e845f94b91
[6] https://www.shodan.io/host/185.254.37.238
[7] https://cybergordon.com/result.html?id=09b5de5f-f625-496e-83ae-57a8002c0961
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments