asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

MarioBitcoinMiner2020.rar
Size

5.1MB
Sample

201025-rnxsaqy43x
MD5

6b2a1bff9b9e4d2f622bb51c18771af5
SHA1

0b1db7375646ca7ddf710783e700041966b8337e
SHA256

c4638069ee4cc84cbeda570f32a5742ddf8a07830ed82f078d7f77d0369774ef
SHA512

a92598a0d2229827b099ad56273eac6f3991b6cfcad31c9b33b76c63e0fb550596273cb66b7c23e73cdfeb17d9da2c5db4d28192d97b6b47fe40a7dc22df76c4

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

2020NOV8888

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6M7YHXC

Attributes

InstallPath
wrars.exe
gencode
mei2LxbtvV5v
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
rars

Extracted

Family

warzonerat

sandyclark255.hopto.org:5200

Extracted

Family

darkcomet

Botnet

2020NOV5

sandyclark255.hopto.org:1605

Mutex

DC_MUTEX-XRQ89VC

Attributes

InstallPath
skypew.exe
gencode
pZP6alYpcpSq
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
skype

Extracted

Family

asyncrat

Version

0.5.6A

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Mutex

adweqsds5

Attributes

aes_key
kv5uVyBGd24QqEsgPMVYkssYB7jsYam1
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds5
pastebin_config
null
port
6606,8808,7707
version
0.5.6A

aes.plain

Targets

- Target
  
  MarioBitcoinMiner2020/MarioBitcoinMiner2020.exe
- Size
  
  4.3MB
- MD5
  
  425924ba1c244829a631020748ebfb50
- SHA1
  
  b6089173b70c3e5d7ce5b26c5bde1d2f983acb36
- SHA256
  
  6fce68c371a0f9bcc3cc54b9756eea5a30213928e5989229dbf299c9b9ff02b9
- SHA512
  
  23eacb07ab48a32dd9ea4c41150e354b58073f71f3f3788dd6e9194e71f54c4d7eabe4e52b463f3374ddcfead0a1db0dc03b89d4ca49eb3b087b8d5a4c1b670b
Score

10^/10

asyncrat darkcomet warzonerat 2020nov5 2020nov8888 evasion infostealer macro persistence rat trojan xlm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Async RAT payload
  rat
- Warzone RAT Payload
  rat
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  MarioBitcoinMiner2020/System.Windows.Interactivity.dll
- Size
  
  39KB
- MD5
  
  3ab57a33a6e3a1476695d5a6e856c06a
- SHA1
  
  dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7
- SHA256
  
  4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876
- SHA512
  
  58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92
Score

1^/10
behavioral3 behavioral4
- Target
  
  MarioBitcoinMiner2020/libeay.dll
- Size
  
  1.8MB
- MD5
  
  98c2d3a72fb15638849e646ecb9ff583
- SHA1
  
  744e60499a32f507fec387f6deb86608f3cdab97
- SHA256
  
  9e164225cc99fc71a09b927b2983edbdda19efc5ba948ae5f8c5e0c427d20e44
- SHA512
  
  7247e2a99861010ce51c0aec9e3a5ca57c6751a55fa7967fde2489ae0682ece32579b5232f34c26db5f356669bff014d835c85f3afcdd2924231406c9c54b518
Score

1^/10
behavioral5 behavioral6
- Target
  
  MarioBitcoinMiner2020/liblzo2-2.dll
- Size
  
  181KB
- MD5
  
  d63dcb429a3365205b009a687aba4fe5
- SHA1
  
  858dd7731037ba106aa731363ed36f99b78c7f7d
- SHA256
  
  f721b6efb7c1727c20cac1e43451fb4dbde67ed81da200135850761a22fe6d0d
- SHA512
  
  f49c0a1b1c1fddc08834098032902ab0a4e77b6cecd1e86ad8924b4d535e22a460b92473322d3a8ce0358ca4d91c60b988f1a465890b81f5da21654719079ca3
Score

3^/10
behavioral7 behavioral8
- Target
  
  MarioBitcoinMiner2020/libpkcs11-helper-1.dll
- Size
  
  119KB
- MD5
  
  1a430ef387b9e1c1a53aad647c13e51b
- SHA1
  
  8f9d165a08e7b46c77da6bae6c976d4c04d9d1b8
- SHA256
  
  8af73a19ed12a18abfc31c1995dc7366c3726b3145e80463d0e6d955519ebdb1
- SHA512
  
  93630c5141e3a3a2025b5bb303b0f738c9c0aea2ca220731f117c9ec3d9f7baa3441001e5ca1935a6fa582e7758e0d5608d9b510c634e30fd745c8313d45e276
Score

1^/10
behavioral9 behavioral10
- Target
  
  MarioBitcoinMiner2020/ssleay.dll
- Size
  
  408KB
- MD5
  
  1491f3f0173d4741b95591042d7ba3f5
- SHA1
  
  180005e04b7013a1e47756900948032a307faa9d
- SHA256
  
  494e75cb300af06b4eb6465c437441838d78ceae1b411f70bdd22387649db20a
- SHA512
  
  1424a6cec3c2a3dac8f107b1545bb449d6f87d6f85900d89b4491d98af177277c10e518dd3b55b0aa21a056d7fb550f0d0c5d5ff87086bc5fe17ae5c38aad8a3
Score

1^/10
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Darkcomet

Modifies WinLogon for persistence

WarzoneRat, AveMaria

Async RAT payload

Warzone RAT Payload

Disables Task Manager via registry modification

Drops file in Drivers directory

Executes dropped EXE

Modifies Windows Firewall

Suspicious Office macro

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12