asyncrat | 04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f | Triage

Submit
Reports

Overview

overview

Static

static

04C164391E...15.exe

windows7_x64

04C164391E...15.exe

windows10_x64

Sharing

General

Target

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Size

770KB
Sample

210911-ht553abbb7
MD5

2f087c02e5a65fc3a150ba96ddde8a0f
SHA1

d8b02d1cd0d582b93866ea2e2da10cb148828566
SHA256

04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f
SHA512

86b078abb4270864802f0056c5657c82c2f375472d821fd888aa0252c10e270cba8beb5bc5063236d7c1192ccf573d7df7dec83ddf753638e96aa6d06f5c0edd

Score

10^/10

asyncrat darkcomet default sazan persistence rat spyware stealer trojan

Static task

static1

rat sazan asyncrat darkcomet

Behavioral task

behavioral1

Sample

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe

Resource

win7v20210408

asyncrat darkcomet default sazan persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe

Resource

win10-en

asyncrat darkcomet default sazan persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

marbeyli.duckdns.org:1604

Mutex

DC_MUTEX-D2KTVT9

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
iGJFx2jaJsy3
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

marbeyli.duckdns.org:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Targets

- Target
  
  04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
- Size
  
  770KB
- MD5
  
  2f087c02e5a65fc3a150ba96ddde8a0f
- SHA1
  
  d8b02d1cd0d582b93866ea2e2da10cb148828566
- SHA256
  
  04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f
- SHA512
  
  86b078abb4270864802f0056c5657c82c2f375472d821fd888aa0252c10e270cba8beb5bc5063236d7c1192ccf573d7df7dec83ddf753638e96aa6d06f5c0edd
Score

10^/10

asyncrat darkcomet default sazan persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies system executable filetype association
  persistence
- Async RAT payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Change Default File Association

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

ratsazanasyncratdarkcomet

behavioral1

asyncratdarkcometdefaultsazanpersistenceratspywarestealertrojan

behavioral2

asyncratdarkcometdefaultsazanpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy