asyncrat

General

Target

2eaf147e46a106eaf7a6c8e618060e2f.exe
Size

817KB
Sample

210723-94ynslz13x
MD5

2eaf147e46a106eaf7a6c8e618060e2f
SHA1

b3419edba9585c0b5a9a3ece82592cb9893ae17e
SHA256

367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
SHA512

71e172b10385b62c242208079da62b4d8a39422d9762e3164fe5ae2edbc7413386d7a3dc8fc1f8c4562d1b45bf6fa099adc4d7dcdbf73a63d860f26f8c39aa56

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.7B

C2

omomom.ac.ug:6970

omkarusdajvc.ac.ug:6970

Mutex

6SI8OkPnkxzcasd

Attributes

aes_key
sEiaxlqpFmHMU8l5j0Ycz8apFoEBTERY
anti_detection
false
autorun
false
bdos
false
delay
XX
host
omomom.ac.ug,omkarusdajvc.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
6SI8OkPnkxzcasd
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

oski

C2

danielmax.ac.ug

Targets

- Target
  
  2eaf147e46a106eaf7a6c8e618060e2f.exe
- Size
  
  817KB
- MD5
  
  2eaf147e46a106eaf7a6c8e618060e2f
- SHA1
  
  b3419edba9585c0b5a9a3ece82592cb9893ae17e
- SHA256
  
  367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
- SHA512
  
  71e172b10385b62c242208079da62b4d8a39422d9762e3164fe5ae2edbc7413386d7a3dc8fc1f8c4562d1b45bf6fa099adc4d7dcdbf73a63d860f26f8c39aa56
Score

10^/10

asyncrat azorult bitrat oski discovery evasion infostealer persistence rat spyware stealer suricata trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- BitRAT Payload
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
  suricata
- suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16
  suricata
- Async RAT payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2