asyncrat

General

Target

b628fc267d7a45f2fc59e9f9ae9a7b26.exe
Size

352KB
Sample

220119-psbndshfh9
MD5

b628fc267d7a45f2fc59e9f9ae9a7b26
SHA1

b6eae181f7969b2e1e1b35d5878ff73eba7be16a
SHA256

5bcc4adc07ee34b43752fb0fb97b1ab8291e0a840f77ff0895a49965cf3638c2
SHA512

5e86bea42863fd06255fe7ce4e847ea07d3f4e7fa267f8e2fe2844637dc9facc81b4b675c17152d95abb16936f00caa3e08f982ad8e317708e6018086e5f3b78

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Old Torrents

C2

null:null

Mutex

DcRatMutex_VFSVDSDVSDVS

Attributes

anti_vm
false
bsod
false
delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/CSbtWBfW

aes.plain

Extracted

Family

smokeloader

Version

2020

C2

http://greenco2020.top/

http://greenco2021.top/

http://greenco2022.top/

rc4.i32

Targets

- Target
  
  b628fc267d7a45f2fc59e9f9ae9a7b26.exe
- Size
  
  352KB
- MD5
  
  b628fc267d7a45f2fc59e9f9ae9a7b26
- SHA1
  
  b6eae181f7969b2e1e1b35d5878ff73eba7be16a
- SHA256
  
  5bcc4adc07ee34b43752fb0fb97b1ab8291e0a840f77ff0895a49965cf3638c2
- SHA512
  
  5e86bea42863fd06255fe7ce4e847ea07d3f4e7fa267f8e2fe2844637dc9facc81b4b675c17152d95abb16936f00caa3e08f982ad8e317708e6018086e5f3b78
Score

10^/10

asyncrat smokeloader old torrents backdoor bootkit discovery evasion persistence rat spyware stealer themida trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Modifies WinLogon for persistence
  persistence
- Registers COM server for autorun
  persistence
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1