asyncrat | ebd7809cacae62bc94dfb8077868f53d53beb0614766213d48f4385ed09c73a6 | Triage

Submit
Reports

Overview

overview

Static

static

charters d...df.vbs

windows7_x64

1

charters d...df.vbs

windows10-2004_x64

Sharing

General

Target

charters details.pdf.vbs
Size

749B
Sample

220119-wdqx4acadk
MD5

e16c8a204a76ec2ca481bdfcc90d4fc2
SHA1

f1ec56e72c644a587af18cad25459f9b6426be75
SHA256

ebd7809cacae62bc94dfb8077868f53d53beb0614766213d48f4385ed09c73a6
SHA512

9ee20bdcaafe0a5a2d3c5c24bd56aa27c2b0861efe2f7b729763bb978e6552baf92eb544f2491a90ae9cdc31760bd0d0e8d834aed4b2b76863467a52daf6100b

Score

10^/10

asyncrat default persistence rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

charters details.pdf.vbs

Resource

win7-es-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

charters details.pdf.vbs

Resource

win10v2004-es-20220112

asyncrat default persistence rat suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

tq744.publicvm.com:1846

Mutex

DcRatMutex_qwqdanchun

Attributes

anti_vm
false
bsod
false
delay
1
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Targets

- Target
  
  charters details.pdf.vbs
- Size
  
  749B
- MD5
  
  e16c8a204a76ec2ca481bdfcc90d4fc2
- SHA1
  
  f1ec56e72c644a587af18cad25459f9b6426be75
- SHA256
  
  ebd7809cacae62bc94dfb8077868f53d53beb0614766213d48f4385ed09c73a6
- SHA512
  
  9ee20bdcaafe0a5a2d3c5c24bd56aa27c2b0861efe2f7b729763bb978e6552baf92eb544f2491a90ae9cdc31760bd0d0e8d834aed4b2b76863467a52daf6100b
Score

10^/10

asyncrat default persistence rat suricata
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Registers COM server for autorun
  persistence
- suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
  suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
  suricata
- Async RAT payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

asyncratdefaultpersistenceratsuricata

© 2018-2024

Terms | Privacy