Backdoor.MSIL.ASYNCRAT.THABFBB

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It gathers certain information on the affected computer.

It terminates itself if it detects it is being run in a virtual environment.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following mutexes to ensure that only one of its copies runs at any one time:

• SvchosMutex_qwqdanchun

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Ping test
• Execute sent plugin

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.press:8849
• {BLOCKED}.{BLOCKED}.247.108:8849

Information Theft

This Backdoor gathers the following information on the affected computer:

• Packet = ClientInfo
• HWID = HWID generated from processor count, username, computer name, OS version, and total size of the system directory
• User = System Username
• OS = OS information
• Camera = Camera devices available
• Path = Malware installed path
• Version = {encrypted value}
• Admin = Has admin role
• Perfor_mance = {Window Title}
• Paste_bin = {encrypted value}
• Anti_virus = Installed AV products
• Install_ed = Time installed
• Po_ng = {null}
• Group = {encrypted value}

Other Details

This Backdoor terminates itself if it detects it is being run in a virtual environment.

It does the following:

• Upon execution it decrypts strings for its configuration:
• Key → {encrypted value}
• New Key → false
• Port → 8849
• Host → {Host to connect}
• Version → 1.0.7
• Install → false
• MTX → SvchosMutex_qwqdanchun
• Paste_bin → null
• An_ti → true
• Anti_Process → false
• BS_OD → true
• Group → Default
• HWID → {encrypted value}
• Server_signa_ture → {encrypted value}
• Certifi_cate → {encrypted value}
• VerifyHash → true
• It checks whether the System is a Windows Client or a Windows Server.
• It checks whether the System is running on x86 or x64 Windows platform.
• It retrieves information about the cache memory.
• Depending on its configuration, it is capable on executing the following functions:
• Terminating the following processes:
• Taskmgr.exe
• ProcessHacker.exe
• procexp.exe
• MSASCui.exe
• MsMpEng.exe
• MpUXSrv.exe
• MpCmdRun.exe
• NisSrv.exe
• ConfigSecurityPolicy.exe
• MSConfig.exe
• Regedit.exe
• UserAccountControlSettings.exe
• taskkill.exe
• Establish persistence with the following conditions:
• If has an admin privilege, it will create a scheduled task to execute the malware on every user log on.
• If has normal user privilege, it adds itself on start up processes by modifying system registry.
• It creates a .bat file to execute itself as a process then deletes itself after execution.