asyncrat | 166989f61fb157324d0c29d69d5aae0aa2a7813c9f4a0c1ab6506730dd66b434 | Triage

Submit
Reports

Overview

overview

Static

static

8

Quote Requ...20.xls

windows7_x64

Quote Requ...20.xls

windows10_x64

Sharing

General

Target

Quote Request October-2020.xls
Size

66KB
Sample

201028-b8m4ysyj82
MD5

57d2e6d7a94b56acfc61035d2577a86a
SHA1

69248b27552383513f0b4d5839a63386849217dd
SHA256

166989f61fb157324d0c29d69d5aae0aa2a7813c9f4a0c1ab6506730dd66b434
SHA512

04b171a580f5d46d82ceb5d6a73009bc8e3a289e75e592e1b0d5b83052a1f37221e3c197bf170da07fbebf7088fa7dfb044103890f127d0af45d2aba01800e2e

Score

10^/10

asyncrat evasion macro rat

Static task

static1

Behavioral task

behavioral1

Sample

Quote Request October-2020.xls

Resource

win7

asyncrat evasion rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Quote Request October-2020.xls

Resource

win10

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/yxmkb9y9

Extracted

Family

asyncrat

Version

0.5.7B

C2

185.165.153.249:4371

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
ytMOQ9vVR8d56lQb8encn2IGn2i9oQc7
anti_detection
false
autorun
false
bdos
false
delay
Default
host
185.165.153.249
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
4371
version
0.5.7B

aes.plain

Targets

- Target
  
  Quote Request October-2020.xls
- Size
  
  66KB
- MD5
  
  57d2e6d7a94b56acfc61035d2577a86a
- SHA1
  
  69248b27552383513f0b4d5839a63386849217dd
- SHA256
  
  166989f61fb157324d0c29d69d5aae0aa2a7813c9f4a0c1ab6506730dd66b434
- SHA512
  
  04b171a580f5d46d82ceb5d6a73009bc8e3a289e75e592e1b0d5b83052a1f37221e3c197bf170da07fbebf7088fa7dfb044103890f127d0af45d2aba01800e2e
Score

10^/10

asyncrat evasion rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Looks for VirtualBox Guest Additions in registry
  evasion
- ServiceHost packer
  Detects ServiceHost packer used for .NET malware
- Blacklisted process makes network request
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

asyncratevasionrat

behavioral2

© 2018-2024

Terms | Privacy