asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

b8f76d9cd83557379f3fe8b5dd080f9a.exe
Size

274KB
Sample

210828-y33qc69azs
MD5

b8f76d9cd83557379f3fe8b5dd080f9a
SHA1

5420b910b3230a670a79a6193fc76a7864a51967
SHA256

a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3
SHA512

bab66ea8ffc11c79f0312f3d551b6230ae3f7b79125121fd5af8e3310f967aef8b77bafa2552a2fdbd2b08024b5d8719ec3821e47e67ba42e5a66150c30594ac

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 15D-F13-28E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

redline

Botnet

Sergey

51.254.68.139:15009

Extracted

Family

redline

Botnet

superstar75737

95.181.152.190:33007

Extracted

Family

redline

Botnet

WORD1

94.26.249.88:1902

Extracted

Family

redline

Botnet

135.181.49.56:47634

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: BEB-200-31C Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

raccoon

Botnet

20d9c80657d1d0fda9625cbd629ba419b8a34404

Attributes

url4cnc
https://telete.in/hfuimoneymake

rc4.plain

Extracted

Family

redline

Botnet

1000

94.103.9.138:80

Targets

- Target
  
  b8f76d9cd83557379f3fe8b5dd080f9a.exe
- Size
  
  274KB
- MD5
  
  b8f76d9cd83557379f3fe8b5dd080f9a
- SHA1
  
  5420b910b3230a670a79a6193fc76a7864a51967
- SHA256
  
  a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3
- SHA512
  
  bab66ea8ffc11c79f0312f3d551b6230ae3f7b79125121fd5af8e3310f967aef8b77bafa2552a2fdbd2b08024b5d8719ec3821e47e67ba42e5a66150c30594ac
Score

10^/10

asyncrat buran redline smokeloader stormkitty nn sergey superstar75737 word1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer themida trojan raccoon 1000 20d9c80657d1d0fda9625cbd629ba419b8a34404
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Turns off Windows Defender SpyNet reporting
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Async RAT payload
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Nirsoft
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2