asyncrat

Resubmissions

07-02-2022 00:34

220207-aw81qsdce2 10

Sharing

Copy URL

Twitter E-mail

General

Target

08d215fd35494280e6397e8bc527bd6de64eb78a73acd3bd07a01da376ed4cb7
Size

19.6MB
Sample

220207-aw81qsdce2
MD5

844d06a617687dec8baef97423d3a6e1
SHA1

ce4bf971d64c3dcb16b720b3291e5c34de91035f
SHA256

08d215fd35494280e6397e8bc527bd6de64eb78a73acd3bd07a01da376ed4cb7
SHA512

69858f7b1c715aeba871ed2e921242da970b1ef6f061c129e5ae2af15935aa44d91f3bd0c9abf2345969b3a36019bd6daa2a2a027cb3e12de96338a01439d469

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

001

45.67.231.52:81

Extracted

Family

redline

Botnet

1488

91.194.11.64:81

Extracted

Family

fickerstealer

109.234.35.192:80

Extracted

Family

raccoon

Version

1.7.2

Botnet

c6a0bbe2ae5d9a25bd8b22a8b362127290c5e84a

Attributes

url4cnc
https://telete.in/h_royal_1

rc4.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

shortcut2021.duckdns.org:6001

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Targets

- Target
  
  001.txt
- Size
  
  1.4MB
- MD5
  
  1cab063cc0c194cc5c81e71aad8a94e0
- SHA1
  
  bb4d5267f05e3e4f42ad7576f8a8e57a47da5653
- SHA256
  
  4ccc480c0ae855a876e266122a05dea65506fadedee20f1857525a41ef3932f8
- SHA512
  
  93fe579300d1db29f1b3ed75db9529d5bef48af1db8d947a9883e06e9c3a75ecf82f563dd163a333ad81562e95fd6c2d6d6f3f9f5fa05e0344ee85cd251365f3
Score

10^/10

redline 001 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  1488.txt
- Size
  
  1.4MB
- MD5
  
  ce0f93d2bb7f18632d6695cf4800f436
- SHA1
  
  c36922e5580cf622752115f2c8fa95278ad455a7
- SHA256
  
  9624e9bf93ace2e4b9106fb1b30c1dfb9de68bf63f4fb9559f11078569fbe334
- SHA512
  
  df13fbc9df58029868f442b84f5b24cea6cab0fe019898dce524ed99876642db4ae0ad2226d35c7fa75f8a43644cfb36d3a9a4ad6c2bfe67ddd9709af604b99b
Score

10^/10

redline 1488 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  1_cr.txt
- Size
  
  847KB
- MD5
  
  af067a53dcecb2f527a351a6491c56b9
- SHA1
  
  845f59d0324b2577979b51a8e66689f6f604ecde
- SHA256
  
  9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d
- SHA512
  
  e9cc332f2108be20acbdafe91a6ee8d489eddb05b752a05d5372a468ea6c95215ca06fb0881b49fc20fac9f0d602a665272b70997df4414ea98a016f60e4fd71
Score

5^/10
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  1cr.txt
- Size
  
  667KB
- MD5
  
  8c56ecce67e5e43e872863f41fe03eab
- SHA1
  
  ad4785bf01141163053f421d15fe76a460836c9b
- SHA256
  
  25eb1831bf580a45f9464bcf50ef2b3d35021f6eb5e42874b2dd8fd8544cf853
- SHA512
  
  63ade7eca68d011e979e2ff0568899136b3fec35370959fafe751edfff379e88b25431584e9cdc80c4d7354b9f6ed894ae4b9e6402d51a0af82f1544299c1a1c
Score

10^/10

fickerstealer infostealer
- Fickerstealer
  Ficker is an infostealer written in Rust and ASM.
  infostealer fickerstealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  1fc2d.txt
- Size
  
  3.5MB
- MD5
  
  8f94297c9a87de5c84a3c6b2d43a3809
- SHA1
  
  611cb3591c6a428f01f82c08c4bea4972635445f
- SHA256
  
  e1eda5c9ef3158ecc5dabc82b244def26c0a938c797a1c97752ff32505b0f048
- SHA512
  
  033e87be95251798d567dc80d2582880126372668dc021bd008be439d73768b94340301e1ceee3ed2833f73cc35fafc5b522147ddd25a3b685508cd3c363e4a5
Score

10^/10

shurk infostealer spyware stealer
- Shurk
  Shurk is an infostealer, written in C++ which appeared in 2021.
  infostealer shurk
- Shurk Stealer Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral9 behavioral10
- Target
  
  6e7_2021-01-19_18-04.txt
- Size
  
  509KB
- MD5
  
  d4827f2bb4c0446d1bba5df00c2436b8
- SHA1
  
  69db7a9dd71235671819472bf2d55bb3eeaf11ea
- SHA256
  
  235e42b187151383ebb91cb85af8500f19e18906bf57917fcf9e0da7004c86ff
- SHA512
  
  9c3429767a76dfcaeaf6bc1b032d71ddb04a6d7f2956eb390cde050e5965fc0e8d2affb3b31061307f76f68c9c0e90e7f3908a73081c044ff89de88ff92307a5
Score

10^/10

raccoon c6a0bbe2ae5d9a25bd8b22a8b362127290c5e84a stealer
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Raccoon Stealer Payload
behavioral11 behavioral12
- Target
  
  Abjects.txt
- Size
  
  51KB
- MD5
  
  ce328046ab3836eef7177159d6e080af
- SHA1
  
  596a87e18b4d9789c6fd167ac90036560f4382bc
- SHA256
  
  f14535ebeec9ecd43865283cdbdcf4a29548055d64977da1d07255dd8bf00edf
- SHA512
  
  27edd18f8f14b63f4ff62ebb0c856590dd7c255fd8d1c025d0ab547761dc7b486b8dc559443ea324ada54019f17e11917fb1712eaa9de53797cb09f61b7db0a2
Score

4^/10
behavioral13 behavioral14
- Target
  
  BattleText.txt
- Size
  
  79KB
- MD5
  
  ac98d5e7f59a9feb167f01c6749baccb
- SHA1
  
  80be262b88d22230ebd7a44e03ddd810092fdfb5
- SHA256
  
  c7e4b8b9ded5df50dc1b2b8e6af95cb6cfb310c20be19c879c48a83371b345da
- SHA512
  
  6ff2a6713691b097ccd678f6275624ed88561aa4458a3d5e2b9bfece60d4cfccdf0c4a88aba0728569126648c1a93972c45807ae077c60203f1eee63f5bca368
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Async RAT payload
  rat
- Drops startup file
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  HANS.txt
- Size
  
  481KB
- MD5
  
  1f0c86722e882c3a2e1b2aced5b338d6
- SHA1
  
  2a1c02f4dcd53906dda8703219b7505fad15df03
- SHA256
  
  1c83962ea10ce2aac61fe881ae8d79514148be5fc90c121a6fa285d6f640ee0c
- SHA512
  
  e38b5c86610a07e85247e9eb571aeb750e8f867d637ff0e40c1067720ac51a50c9dfe7942a0854a2bb2318ce747f449549818c23a9859b03a64a4376a6bc5439
Score

3^/10
behavioral17 behavioral18
- Target
  
  Hulu.txt
- Size
  
  1.4MB
- MD5
  
  64be5264f3a58325446865be38c05b34
- SHA1
  
  fdbad9468075747a4999b7b30fa7cb7b60fdcb4e
- SHA256
  
  561a8b830e902a0ba18457a0aa8db8a8c663de8ee33e6009f236cedff00f8cbb
- SHA512
  
  d48fac03082d1f12cf1d175978f64e9d2df467828601b34474c77bf139c6c0dae5002ad2f1e106c46e6fb6c4ef8083e011931a74dd0adcbb0a43cdeae16cd0d0
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  IntelFIVE.txt
- Size
  
  770KB
- MD5
  
  eb39c3a8f12a353ca9a0f64a2d2b9966
- SHA1
  
  8eca1c63a7110d2cc432e8e8e753462b26306fc4
- SHA256
  
  8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
- SHA512
  
  8423a45274f8f082805e5cd174abcd08b80c737b4ab3aa3a1669d862db2fa168893cec5d448650dd5bd70f5fd72f78febfc2fac57c88ebe2d14bd8575b6dd8d0
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral21 behavioral22
- Target
  
  IntelFOUR.txt
- Size
  
  741KB
- MD5
  
  6a845ba103296108ad6414a3c9217718
- SHA1
  
  f3a9926564a7eaa68bf1623ebe2f6ab21727a817
- SHA256
  
  6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
- SHA512
  
  e538f72665e4dd956457dc0f526ad0b610e09a203f5f00943dda1793b8ef32a68d32a58ec241053cee8376ddf5fa14b473d2f7d1fc62e72f2071def5b873e893
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral23 behavioral24
- Target
  
  IntelONE.txt
- Size
  
  646KB
- MD5
  
  8e2288bfb74d2422ff22218f8210fd22
- SHA1
  
  c410f0f02896223cc74ca1262b955bb862cf2274
- SHA256
  
  5cbafb76c6a0e930414647523ffb4abe9d9ab7f41270ddf4c4ef5d9fd1f39346
- SHA512
  
  4b98bd5d727d127815a2f515388a9391e7240113c68eac95b39780b27d30e12a8c2d918537e612bb2e905404859284a54ea35bcf4ae5cc349529dafa3b5f01f7
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral25 behavioral26
- Target
  
  IntelTHREE.txt
- Size
  
  642KB
- MD5
  
  53f6085a88b29018218521fc53bfe959
- SHA1
  
  12431511010c77e08129ed808e507c5c761ab8b1
- SHA256
  
  7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4
- SHA512
  
  b382297f90b596553f25f1b09c1630d124e3dec3f78c6721a1a1d35a57132d70bb719f428635f9e7c8cfe42660ef7975b4576f89783b45a631cf2ec2487efd59
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral27 behavioral28
- Target
  
  IntelTWO.txt
- Size
  
  603KB
- MD5
  
  d2054b1b66e0d190be9eb250fada79fa
- SHA1
  
  4828278c03885c1de97d601ddd2ee5a6267e73e2
- SHA256
  
  91b886840c7f674d17b48e5d2264228a55fe0f28e32e102c84dad5cca49ed807
- SHA512
  
  e1722f7b72b80e4a8a502c9b6678878757110226ca03083282604d70afa2c000fd87c91e59d40033f287ca58b734fca5760094ee69780ff7045b86f521f25c73
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral29 behavioral30
- Target
  
  Lucky_Fixed.exe
- Size
  
  267KB
- MD5
  
  c481259ad199b773339f168902cc7437
- SHA1
  
  4c9a81f2a9167f953109eddbd141ea8d078d13e9
- SHA256
  
  1da5a6aac7197d1fcadef018775831885b715d5c37a3115777dc5c717ce6e0da
- SHA512
  
  5bc8965e9aa550f3e37b312f3d4a6854b0002f42b5a111087a754e3ed7cdcf957b40f6bebc389b405317b46eeaed88132545732daac74723945591ae38cdcabf
Score

10^/10
- Suspicious use of NtCreateProcessExOtherParentProcess
behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

RedLine

RedLine Payload

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Fickerstealer

Looks up external IP address via web service

Suspicious use of SetThreadContext

Shurk

Shurk Stealer Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Checks computer location settings

Reads user/profile data of web browsers

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Raccoon

Raccoon Stealer Payload

Async RAT payload

Drops startup file

Suspicious use of SetThreadContext

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Suspicious use of SetThreadContext

Checks computer location settings

Checks computer location settings

Checks computer location settings

Checks computer location settings

Checks computer location settings

Suspicious use of NtCreateProcessExOtherParentProcess

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30