asyncrat

General

Target

3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
Size

2.0MB
Sample

201004-zk73d4dxke
MD5

3f1a2ab1e63458d3c75ded4c3f4d47c5
SHA1

10d187b94b082e33513030ac825de250eec0dd5a
SHA256

61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
SHA512

1fcc78d47e7527c50ad83c5dee4310dea72f9f5f95c759b59f921adc4cf113fcce8aab69642dfbb6013f5e9d1b5996a36ba8fc5f866f22ed34f4305e3d512c45

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Botnet

72a49aa9fe2bba34809c9123d222cef121eb3d38

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

C2

malarcvgs.ac.ug

Extracted

Family

asyncrat

Version

0.5.7B

C2

masonp.ac.ug:6970

marcapalgo.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
8mYi28y4mrIIgAY4z5LziR6M66VfapOc
anti_detection
false
autorun
false
bdos
false
delay
Default
host
masonp.ac.ug,marcapalgo.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Targets

- Target
  
  3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
- Size
  
  2.0MB
- MD5
  
  3f1a2ab1e63458d3c75ded4c3f4d47c5
- SHA1
  
  10d187b94b082e33513030ac825de250eec0dd5a
- SHA256
  
  61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
- SHA512
  
  1fcc78d47e7527c50ad83c5dee4310dea72f9f5f95c759b59f921adc4cf113fcce8aab69642dfbb6013f5e9d1b5996a36ba8fc5f866f22ed34f4305e3d512c45
Score

10^/10

asyncrat azorult modiloader oski raccoon 72a49aa9fe2bba34809c9123d222cef121eb3d38 discovery evasion infostealer persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Async RAT payload
  rat
- ModiLoader Second Stage
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2