asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

1.zip
Size

9.2MB
Sample

210720-5cqkd4tlh6
MD5

b058ec95cb680a10ef84508b3e59dcb0
SHA1

c2f5087a31b4724609fde3df3baba836a675b85d
SHA256

a1c7157e3d321dc5966c65601335e053edb2c4a1e6cf4f1f678b974a4f2dbf26
SHA512

d065692a5fac686a37bd93a609c7abc21574986a2097b91f28d6882f04bd38d5b81dd058176dc632bee913f5a2e172a03ada8c0d1b0bcbf0b5a82adb9d011c47

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

http://www.wwwgraciescottage.com/u9pi/

Decoy

balancerestoreomaha.com

allpurposepaintingservices.com

talsworldwide.com

specialforcesofindia.com

flaxx.life

taspate.com

88q858.com

parossunbed.com

pontacols.com

soulpowerlive.com

holowide.com

covidcustomdesigns.com

cleaner-solar.com

cnhy0769.com

gmb-marketing.com

thepassiveincomecreator.com

kate.chat

awkwardpeachfitness.com

lolly-bops.com

29752ellendale.com

Extracted

Family

asyncrat

Version

0.5.7B

akconsult.linkpc.net:9872

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
jbg9dRIOq1AGzwl8xmtPqGvO9dgNJ3ut
anti_detection
false
autorun
false
bdos
false
delay
Default
host
akconsult.linkpc.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
9872
version
0.5.7B

aes.plain

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Targets

- Target
  
  06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
- Size
  
  29KB
- MD5
  
  813a8c1617fcd75b4c86204db31ac3a2
- SHA1
  
  28c6565fc05fb1994b4e09d46174a718e27d2fb0
- SHA256
  
  06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
- SHA512
  
  5ba2bf056298ac50bdf845dd2bfe395e74a95b328d30f171f0b0ea5ce8b83961dbf18926c98c957e380ab05f89585f254615bdb1f2d50938efb312e934ac2620
Score

1^/10
behavioral1 behavioral2 behavioral3
- Target
  
  154080c5844ed76332320fcf3f1773391d80200f18f9025fd05b55b86f8ff795
- Size
  
  309KB
- MD5
  
  495a4543965b4a92c6314294b338602f
- SHA1
  
  a520425e51ae8211ddc85566111d204282e493df
- SHA256
  
  154080c5844ed76332320fcf3f1773391d80200f18f9025fd05b55b86f8ff795
- SHA512
  
  ddba1d22bb8cf1f4a0bc5dbc8c19087b908370d464b1a64683d69f5553a8da99650fe0ea0d88f5cfab14a37a0bfa5fdf0a9435d05a368efb40cb16c2ac4c9efb
Score

8^/10
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral4 behavioral5
- Target
  
  1650ced30cfb68451bb432b44f72fa93687d95d83f70fa039658d8cb665508c5
- Size
  
  132KB
- MD5
  
  5cd89c658d8ced22f44284039d906e7b
- SHA1
  
  24b071fd1f1adfa0b11864e21b2e8fa8487ddd2f
- SHA256
  
  1650ced30cfb68451bb432b44f72fa93687d95d83f70fa039658d8cb665508c5
- SHA512
  
  97675e272ae5bc40c35673a9bf8e9b1d90f9d9f817589ff84dc1da42e3d33f0678d383b8d4ab3b53495500be921466f411d05104a72f955f968b62425a293030
Score

1^/10
behavioral6 behavioral7
- Target
  
  1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
- Size
  
  1.8MB
- MD5
  
  f268f8707a3c2a9a2ed4663e60c9cdc0
- SHA1
  
  c7ccc88111ad400b1ea72000c3179b1672c440b9
- SHA256
  
  1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
- SHA512
  
  2947657f8bf3f9258eb221e348310035c1ee059cc4693864b2e97a531b2a5df08d7c151bf9e5c7b9bb55be7b6309a349323fe548984985e59cb8bca20c0b2b97
Score

8^/10

discovery spyware stealer
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral8 behavioral9
- Target
  
  ISSUES INVOICE E-4136 REV.1.exe
- Size
  
  646KB
- MD5
  
  02efae6482a081c221d846f386752d3a
- SHA1
  
  2c2dce7d34e81dd0329022ec41802ce8296a7ba7
- SHA256
  
  19f2101d500dfa2ba71baf220497fe8888667bb7d9c8cf4996087ff67c11d156
- SHA512
  
  00dd5efb9b60a914072f9f9c555da0c4ad3871bf74a14312e0429662f2aa55a75cd9352e49690e07478e4b079ffc9f7592bbda48c56027ecda6c714374f0b925
Score

10^/10

xloader loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Deletes itself
- Suspicious use of SetThreadContext
behavioral10 behavioral11
- Target
  
  350fbd43ce6f7d1d3d636aa5b94187d4dcc8e866527cfdc9c9ce226aea3500ed
- Size
  
  183KB
- MD5
  
  bb7cdbbb1f93dc2790fb8c73d31b73b3
- SHA1
  
  6b0be22eba71a02b37be9182abecafc37d362ed6
- SHA256
  
  350fbd43ce6f7d1d3d636aa5b94187d4dcc8e866527cfdc9c9ce226aea3500ed
- SHA512
  
  c83b9ec9d34a1e6446ec13d346246b3049f435924874c19cefd5bea18c6a002d5d22ed5b0955766678968d29907db21c739b1727ece7a141255215d867071384
Score

1^/10
behavioral12 behavioral13
- Target
  
  44faf11719b3a679e7a6dd5db40033ec4dd6e1b0361c145b81586cb735a64112
- Size
  
  31KB
- MD5
  
  3a3d600ad9c9615f18003620a1bf5f28
- SHA1
  
  7b3b3b8aa37ca78c46ec2774784cf51d190733e8
- SHA256
  
  44faf11719b3a679e7a6dd5db40033ec4dd6e1b0361c145b81586cb735a64112
- SHA512
  
  b534f6f93c6679f9cf24361f763859fce6d6fadc684e35de7f9e90f6c2b7427d54204e1e30818bfe67e18c8594cdfde8cd398900b1fbb94f413ea6624826dc67
Score

1^/10
behavioral14 behavioral15
- Target
  
  4853dc09bbd4a61610a354d5fcd0f9e376e284124c5ff949ba49457eed1f55f6
- Size
  
  3KB
- MD5
  
  b78d223c21397820b567ed288e87a190
- SHA1
  
  b9ec3ad1855866a29d9489ee40046f5d2a6f908d
- SHA256
  
  4853dc09bbd4a61610a354d5fcd0f9e376e284124c5ff949ba49457eed1f55f6
- SHA512
  
  b3636cb144329b661f72b04fdbdf5baa69372ae0cf904c14842346dffc7aad8d0be64eeaaae1fb85721b00e01cf19d92821fff198d1d92827dcd99e809c9dd15
Score

1^/10
behavioral16 behavioral17
- Target
  
  4ba637df90076330cdace697a87aafc6dd1d1b3a35b4ad924aad80aa7c3f4a9e
- Size
  
  28KB
- MD5
  
  5e6b9873eae9d5d03dbd86863d69fa56
- SHA1
  
  fca5ccf4ca1cfe33300fb2b38e181f0445af0555
- SHA256
  
  4ba637df90076330cdace697a87aafc6dd1d1b3a35b4ad924aad80aa7c3f4a9e
- SHA512
  
  0d532b6e7d47c16a9280b0442359fb5bf3343a84e4bc7dac57a612fdb6d627b16a13407faa0e92aa36682ca8ddbafcaa9ada50505a3dadcf3520cac2b9053c85
Score

1^/10
behavioral18 behavioral19 behavioral20
- Target
  
  4f8c1840d692d8248f3b7cb478acfbb7e65bdeecd64790a163eaa0db5592df06
- Size
  
  31KB
- MD5
  
  7838f6b70787d885e50db5bfee69eb06
- SHA1
  
  dda9f576f48b3427ecfbc249f88374d8caa25675
- SHA256
  
  4f8c1840d692d8248f3b7cb478acfbb7e65bdeecd64790a163eaa0db5592df06
- SHA512
  
  36d719a92c97be160e210c5d9b04f152860b2f3ef59a971a996cd9cde071538753a533a3d7a9841f01d64813d45b1af4003ba55b83e9659bc31cca0bfc740af0
Score

1^/10
behavioral21 behavioral22 behavioral23
- Target
  
  623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772
- Size
  
  841KB
- MD5
  
  7ef40963a365cadbbc01e789477f9e6a
- SHA1
  
  df6e734860b53d92611fc32fd353a8df4aa19cd8
- SHA256
  
  623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772
- SHA512
  
  505e784ec07b5e29f975ac016495a607713f6c1cf6a2d9c6e380873943dd3d64f0ec950cf5f8569a0cef69b88d1cfce1642cdb16a9d989a510e024c2494a2e01
Score

10^/10

asyncrat rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Async RAT payload
  rat
- Drops startup file
- Suspicious use of SetThreadContext
behavioral24 behavioral25
- Target
  
  65df637db227ff1685bdf82ab676de4ed70bffd4c96e6cde70d575217700083b
- Size
  
  7KB
- MD5
  
  c0027c8a26253ea4cedfdf491ab02bda
- SHA1
  
  5d1399ec9e338903cc0db2cba2e396326d0be5d6
- SHA256
  
  65df637db227ff1685bdf82ab676de4ed70bffd4c96e6cde70d575217700083b
- SHA512
  
  4f1ece9f55b1d7d055a842055d4c995352c454eb8a27530d588334943d6f8863d2e1e550e09b57b8cd6a73f177f528071461a6210bd1c2b93e55ad577ed17a5e
Score

1^/10
behavioral26 behavioral27 behavioral28
- Target
  
  717ad3ee2b9ae94aac5bd01bce9bb945d8c620e3a60f241864dede3646f3dd47
- Size
  
  594KB
- MD5
  
  18104d225266e7754f27a413323425c4
- SHA1
  
  8e49c7b8ac4d81e757d919f545408e07eaba10c9
- SHA256
  
  717ad3ee2b9ae94aac5bd01bce9bb945d8c620e3a60f241864dede3646f3dd47
- SHA512
  
  c96470045de5f84defb435d6b8fb127fc48b5a5b930507e9bdf6650015e36fd31bd1be57f22723cd202caaf27d987c4ede2aa7c9be7f22d1b9ae776f3d3a5c33
Score

10^/10

trickbot zev1 banker trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral29 behavioral30
- Target
  
  71ba20bdd899fde2a4e2967bc6c719f2c96146cc80c3dd8953431cb82d4df199
- Size
  
  81KB
- MD5
  
  059e79d36927bb230e90376aa7528015
- SHA1
  
  2448b57e97a917d01993c89b901ad2c21d413792
- SHA256
  
  71ba20bdd899fde2a4e2967bc6c719f2c96146cc80c3dd8953431cb82d4df199
- SHA512
  
  667451539ea0809ba9de6ea23d703d8641bf3d3df417fc0c48a13584b5cc6d3f1fc97468af98c3f8dbc73d4ed79e3f52aaee372a4a2f0d77019ba9328ec345fc
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Loads dropped DLL

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Xloader

Xloader Payload

Deletes itself

Suspicious use of SetThreadContext

Async RAT payload

Drops startup file

Suspicious use of SetThreadContext

Trickbot

Looks up external IP address via web service

Process spawned unexpected child process

Blocklisted process makes network request

Process spawned suspicious child process

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32