asyncrat | 9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4 | Triage

Submit
Reports

Overview

overview

Static

static

9349dedc83...b4.exe

windows7_x64

9349dedc83...b4.exe

windows10_x64

Sharing

General

Target

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
Size

3.5MB
Sample

201108-4smzmexdfj
MD5

182d028b33e65fb17d4a601cbfe38dff
SHA1

fdc5b33a43ca57abe13f5d03c429897cafddda5b
SHA256

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
SHA512

4cbe9456ecbab9674e8d168a306b2327d1eb57a0b98bcfe64bc84c371387dda8f4714ea128b8d98ba98c85b5b0b059c749cbf10fc5b8032874997125f1fc0de6

Score

10^/10

asyncrat darkcomet warzonerat 2020nov5 evasion infostealer persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe

Resource

win7v20201028

asyncrat darkcomet warzonerat 2020nov5 evasion infostealer persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe

Resource

win10v20201028

asyncrat darkcomet warzonerat infostealer persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

sandyclark255.hopto.org:5200

Extracted

Family

darkcomet

Botnet

2020NOV5

C2

sandyclark255.hopto.org:1605

Mutex

DC_MUTEX-XRQ89VC

Attributes

InstallPath
skypew.exe
gencode
pZP6alYpcpSq
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
skype

Extracted

Family

asyncrat

Version

0.5.6A

C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Mutex

adweqsds5

Attributes

aes_key
kv5uVyBGd24QqEsgPMVYkssYB7jsYam1
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds5
pastebin_config
null
port
6606,8808,7707
version
0.5.6A

aes.plain

Targets

- Target
  
  9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
- Size
  
  3.5MB
- MD5
  
  182d028b33e65fb17d4a601cbfe38dff
- SHA1
  
  fdc5b33a43ca57abe13f5d03c429897cafddda5b
- SHA256
  
  9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
- SHA512
  
  4cbe9456ecbab9674e8d168a306b2327d1eb57a0b98bcfe64bc84c371387dda8f4714ea128b8d98ba98c85b5b0b059c749cbf10fc5b8032874997125f1fc0de6
Score

10^/10

asyncrat darkcomet warzonerat 2020nov5 evasion infostealer persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Async RAT payload
  rat
- Warzone RAT Payload
  rat
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

asyncratdarkcometwarzonerat2020nov5evasioninfostealerpersistencerattrojan

behavioral2

asyncratdarkcometwarzoneratinfostealerpersistencerattrojan

© 2018-2024

Terms | Privacy